当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-038423

漏洞标题:cmseasy存储型xss漏洞(代码分析)

相关厂商:cmseasy

漏洞作者: Aring

提交时间:2013-09-28 15:35

修复时间:2013-11-12 15:36

公开时间:2013-11-12 15:36

漏洞类型:xss跨站脚本攻击

危害等级:低

自评Rank:1

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-28: 细节已通知厂商并且等待厂商处理中
2013-09-28: 厂商已经确认,细节仅向厂商公开
2013-10-08: 细节向核心白帽子及相关领域专家公开
2013-10-18: 细节向普通白帽子公开
2013-10-28: 细节向实习白帽子公开
2013-11-12: 细节向公众公开

简要描述:

cmseay存储型xss 下载的版本为CmsEasy_5.5_UTF-8_20130910

详细说明:

bbs/add-archive.php

<?php
  require_once 'bbs_public.php';
  //验证用户登陆相关操作,所以测试前需要注册一个用户
  $admin = new action_admin();
  $admin->check_login(); //验证用户登录
......省略........
 if(isset($_POST['submit'])){
  	  if(strtolower(trim($_POST['verify'])) != strtolower($_SESSION['verify'])){ //确认验证码
          action_public::turnPage('index.php','验证码输入错误!');
  	  }
      $archive = db_bbs_archive::getInstance();
      unset($_POST['submit']);
      unset($_POST['verify']);
      $_POST['username'] = $_COOKIE['login_username']; //验证用户登录
      $_POST['userid'] = $admin->userid;
      $_POST['ip'] = $_SERVER['REMOTE_ADDR'];
      $_POST['addtime'] = mktime();
      if($id = $archive->inserData($_POST)){ //问题在这里,title没有未过滤
          action_public::turnPage('archive-display.php?aid='.$id,'文章添加成功');
      }else{
      	  action_public::turnPage('index.php','添加失败,请联系我们!');
      }
  }


跟进路径inserData()->insert()->getInsertString()函数

public function inserData($data){
       $r = $this->odb->insert($this->tblName,$data); //
       if($r)
           return $this->odb->getInsertId();
       else
           return false;
	}
跟进insert
public function insert($table, $data)
	{
		$sql = $this->getInsertString($table, $data);
		return $this->execSql($sql);
}
跟进getInsertString
public function getInsertString($table, $data)
	{
		$n_str = '';
		$v_str = '';
		$table = $this->filterString($table);
		foreach ($data as $k => $v)
		{
			$n_str .= $this->filterString($k).','; //此处进行过滤
			$v_str .= "'".$this->filterString($v)."',";
		}
		$n_str = preg_replace( "/,$/", "", $n_str );
		$v_str = preg_replace( "/,$/", "", $v_str );
		$str = 'INSERT INTO '.$table.' ('.$n_str.') VALUES('.$v_str.')';
		return $str;
	}


分析filterString()函数

public function filterString($str)
	{
		if ($this->magic_quotes)
		{
			$str = stripslashes($str);
		}
		if ( is_numeric($str) ) {
			return $str;
		} else {
			$ret = @mysqli_real_escape_string($this->con, $str);
			if ( strlen($str) && !isset($ret) ) {
				$r = $this->checkConnection();
				if ($r !== true) {
					$this->closeDB();
					$ret = $str;
				}
			}
			return $ret;
		}


应用mysqli_real_escape_string过滤'"进行了过滤,不完整
发表文章查看数据:

1.png


2.png


分析再看一下bbs/index.php输出

<?php foreach ($category_data as $v) {
         $archive_arr = $archive->getDataLimit('aid,cid,lid,title,username,replynum,click,addtime',"cid='{$v['cid']}' AND isstop='0' order by aid desc limit 10 ");
?>
跟进getDataLimit
public function getDataLimit($field = '*',$where = '1'){
		$sql = "SELECT {$field} FROM {$this->tblName} WHERE {$where}";//构成sql语句
        $data = $this->odb->getRows($sql);//跟进瞧了一眼没有过滤
        return $data;//输出数据
	}


漏洞证明:

3.png

修复方案:

对title输入进行过滤;

版权声明:转载请注明来源 Aring@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2013-09-28 15:43

厂商回复:

感谢,尽快修复

最新状态:

暂无