phpmyid 'MyID.php' 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184848 漏洞类型 跨站脚本
发布时间 2008-10-24 更新时间 2008-10-24
CVE编号 CVE-2008-4730 CNNVD-ID CNNVD-200810-439
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/80835
https://cxsecurity.com/issue/WLB-2008100230
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200810-439
|漏洞详情
phpMyID中的MyID.php存在跨站脚本攻击漏洞,远程攻击者可以借助openid_trust_root参数和一个不连续的openid_return_to参数来注入任意的web脚本或HTML。该漏洞在出错信息中没有得到有效的处理。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Subject: XSS vulnerability in phpMyID
Credits: Raphael Geissert <atomo64 (at) gmail (dot) com [email concealed]>
Release date: 2008-10-27
Affects: v0.9 [23-Jul-2008]

Resources:
    * Homepage: http://siege.org/projects/phpMyID/
    * Demo: http://phpmyid.com

Background:
    phpMyID is a single user OpenID identity provider implemented in PHP.

Problem description:
    The MyID.php script does not sanitize the input it is supposed to be given
    by the site where the user wants to be authenticated. When the return_to
    address does not have the same "root" as trust_root it aborts, opening a
    hole for XSS attacks.

Impact:
    A user can be tricked and redirected to its vulnerable identity provider,
    place where the specially crafted data exploits the security hole.

Example exploit:
    MyID.php?openid_mode=checkid_immediate&openid_return_to=bar
	    &openid_trust_root=%3Cscript%3Ewindow.alert%28%29%3B%3C%2Fscript%3E
	    &openid_identity=foo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjeokkACgkQYy49rUbZzlrT4gCgiJx+DciYJ/gwGvofowlGHLUa
dXIAnRJKr7xKJG71jmabclNAx/GEmLa9
=A51u
-----END PGP SIGNATURE-----
|受影响的产品
Phpmyid Phpmyid 0.9
|参考资料

来源:BUGTRAQ
名称:20081002XSSvulnerabilityinphpMyID
链接:http://www.securityfocus.com/archive/1/archive/1/496930/100/0/threaded
来源:SREASON
名称:4484
链接:http://securityreason.com/securityalert/4484