Simple Machines Forum (SMF) 'display.php' 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192601 漏洞类型 跨站脚本
发布时间 2006-12-07 更新时间 2006-12-08
CVE编号 CVE-2006-6375 CNNVD-ID CNNVD-200612-154
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2006120072
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-154
|漏洞详情
SimpleMachinesForum(SMF)1.1Final及更早版本中的display.php存在跨站脚本攻击(XSS)漏洞,远程攻击者可通过已上载的带有图像参数集的文件的内容(可被InternetExplorer的自动类型侦测解释为脚本)来注入任意Web脚本或HTML。
|漏洞EXP
======================================================================

Advisory : SMF upload XSS vulnerability
Release Date : December 4th, 2006
Application : Simple Machines Forum
Version : SMF 1.1 Final (and earlier versions)
Platform : PHP
Vendor URL : http://www.simplemachines.org
Authors : Jessica Hope ( jessicasaulhope (at) googlemail (dot) com [email concealed] )
    	: rotwang ( c.a.rotwang (at) googlemail (dot) com [email concealed] )

=======================================================================

Overview

Due to various failures in sanitising user input, it is possible to
construct XSS attacks using files masquerading as images.

=======================================================================

Discussion

A often ignored XSS hazard sprouts from the Internet Explorer's habit
to "guess"
the type of displayed data, when mime-type and header do not match.
This is especially dangerous in software allowing image uploads; the accepted
counter-measure is to use getimagesize to guarantee that the correct mime-type
is chosen.

SMF's implementation of this check is faulty, as it can be overridden by simply
setting the parameter "image". In that case, the file will be
delivered with the
type "image/gif", regardless of the file's content or name.
Even an uploaded text file is  able to carry an XSS vector.
Neither the upload function, nor the delivery code actually act upon the file's
content. The admin function "Check attachment's extension" has no
impact on that
behaviour.

Vulnerable code in  Display.php

Line 1045
if (filesize($filename) != 0)
	{
		$size = @getimagesize($filename);
		if (!empty($size) && $size[2] > 0 && $size[2] < 4)
			header('Content-Type: image/' . ($size[2] != 1 ? ($size[2] != 2 ?
'png' : 'jpeg') : 'gif'));
		// Errr, it's an image.... what kind?  A... gif?  Yeah that's it,
gif!  Like JIF, the peanut butter.
		elseif (isset($_REQUEST['image']))
			header('Content-Type: image/gif');
	}

=======================================================================

Solution

It is possible to work around the issue like so:

$size = @getimagesize($filename);
		if (!empty($size) && $size[2] > 0 && $size[2] < 4) {			
			  header('Content-Type: image/' . ($size[2] != 1 ? ($size[2] != 2 ?
'png' : 'jpeg') : 'gif'));
			}
		// Errr, it's not an image.... what kind?  Ah, let's play it safe
		else {			
			header('Content-Disposition: attachment; filename="' . $real_filename . '"');
		 	header('Content-Type: application/octet-stream');
	       	
		}

Moreover, the upload function should check the actual filtype. Files
with invalid
extensions should not be accepted as uploads.
The avatar function already implements such checks; they should be applied for
the attachment function as well.

=======================================================================

History:

Having dealt with SMF in the past, I know that they do not take security
seriously (have a look at my earlier IP spoofing SMF report). Thus until
I believe that SMF have shaped up in terms of security, any issues that I
come across I'll be posting a full disclosure immediately.
Incidently, the IP spoofing still exsists in the latest SMF too. They never
learn.

04th December 2006: Full disclosure

=======================================================================

Credit

This issue is to be credited to Jessica Hope ( jessicasaulhope (at) googlemail (dot) com [email concealed] ),
and rotwang ( c.a.rotwang (at) googlemail (dot) com [email concealed] )
|参考资料

来源:BUGTRAQ
名称:20061203SMFuploadXSSvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/453426/100/0/threaded
来源:SECUNIA
名称:23175
链接:http://secunia.com/advisories/23175
来源:XF
名称:smf-display-xss(30659)
链接:http://xforce.iss.net/xforce/xfdb/30659
来源:BID
名称:21431
链接:http://www.securityfocus.com/bid/21431
来源:VUPEN
名称:ADV-2006-4843
链接:http://www.frsirt.com/english/advisories/2006/4843
来源:SREASON
名称:2001
链接:http://securityreason.com/securityalert/2001