URL Redirection Bug & Possible SQL注射BUG in 佳品网

漏洞概要

缺陷编号:WooYun-2012-011450

漏洞标题:URL Redirection Bug & Possible SQL注射BUG in 佳品网

相关厂商:佳品网

漏洞作者:Gunther

提交时间:2012-08-28 15:29

公开时间:2012-09-02 15:29

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:5

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

Tags标签:

漏洞详情

披露状态:

2012-08-28: 细节已通知厂商并且等待厂商处理中
2012-08-28: 厂商已查看当前漏洞内容,细节仅向厂商公开
2012-09-02: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

There are URL Redirection Bugs & Possible SQL注射BUG in 佳品网

详细说明:

Possible SQL注射BUG is found here:http://www.jiapin.com/listgoods/index/cat_id/+union+select+1,2,+--http://www.jiapin.com/listgoods/index/cat_id/+sleep(1)%23

Severity: URL Redirection bugConfidence: ConfidentHost: http://user.jiapin.com/Path: /pageview/pos?app=from_tag&url=http://www.jiapin.com/list/14565.htmlIssue detail:This is considered quite serious if it's in a consumer type of website as attackers can make use of this to redirect victims to another website.Ok, the flaw is that the original url will look like the followinghttp://user.jiapin.com/pageview/pos?app=from_tag&url=http://www.jiapin.com/list/14565.htmlHowever, an attacker can change the final url to the followinguser.jiapin.com/pageview/pos?app=from_tag&url=http://ebay.deIf attackers have exploit kit, they can redirect victims to their website, fire up an iframe showing the original content from jiapin.comAfter they had exploited or trojanised the victim, just do another redirect to the original website.This way, victims will not notice much. 😀 In my test case, i redirect user(s) to ebay.de :DThe other URL Redirection bug could be found here:http://user.jiapin.com/cps/cpslogin/together/c5ac81fe5e0d6246dcb4c769ead4c3ea?url_t=http://news.jiapin.com/html/zx/jiapinguandi/2012/0822/6690.htmlSimilarly, if you replacehttp://news.jiapin.com/html/zx/jiapinguandi/2012/0822/6690.htmlwith http://ebay.de and the final url look like this:http://user.jiapin.com/cps/cpslogin/together/c5ac81fe5e0d6246dcb4c769ead4c3ea?url_t=http://ebay.deVictims will be redirected to eBay.de instead

漏洞证明:

Or the image below

修复方案:

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2012-09-02 15:29

厂商回复:

最新状态:

暂无

评价

  1. 2010-01-01 00:00 Michael 白帽子 | Rank:74 漏洞数:19)

    标题风格咋变了。

  2. 2010-01-01 00:00 瓜瓜 白帽子 | Rank:158 漏洞数:24)

    肿么成汉语了

  3. 2010-01-01 00:00 Gunther 白帽子 | Rank:32 漏洞数:9)

    有時需要練習我的廣東話

  4. 2010-01-01 00:00 gainover 白帽子 | Rank:1331 漏洞数:97)

    = = ...

  5. 2010-01-01 00:00 风萧萧 白帽子 | Rank:874 漏洞数:67)

    @xsser 佳品网是不是失去联系了,有个漏洞视乎要公开了

  6. 2010-01-01 00:00 Xhm1n9 白帽子 | Rank:57 漏洞数:13)

    @Gunther 祖籍广东的华侨?

  7. 2010-01-01 00:00 Inset 白帽子 | Rank:8 漏洞数:1)

    广东?不理解!

  8. 2010-01-01 00:00 Gunther 白帽子 | Rank:32 漏洞数:9)

    祖先来自广东