当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080781

漏洞标题:B2Bbuilder 网站商城跨站脚本攻击两处

相关厂商:shop-builder.cn

漏洞作者: nextdoor

提交时间:2014-10-28 13:57

修复时间:2014-12-30 14:44

公开时间:2014-12-30 14:44

漏洞类型:xss跨站脚本攻击

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-28: 细节已通知厂商并且等待厂商处理中
2014-11-02: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-12-27: 细节向核心白帽子及相关领域专家公开
2015-01-06: 细节向普通白帽子公开
2015-01-16: 细节向实习白帽子公开
2014-12-30: 细节向公众公开

简要描述:

B2Bbuilder 网站商城跨站脚本攻击两处
一个是指谁打谁
另一个是可打大量用户

详细说明:

下载的版本 B2Bbuilder B2B网站管理系统 v7.0 .1最新 正式版
第一处
admin_message_sed.php //用户发送私信处,用户信息未做过滤

if(isset($_POST['msgsend'])&&$_POST['sendid']!=',')
{
$msg->friend_msg_batch_send(); //跟踪friend_msg_batch_send函数
}
//------------------邮件详情
if(!empty($_GET['id']))
{
$de=$msg ->mail_det($_GET['id']);//跟踪mail_det函数
$tpl->assign("de",$de);
$_GET['uid']=$de['fromuserid'];
}
//--------------------收件人
if(!empty($_GET['uid']))
{
$sql="select user from ".ALLUSER." where userid='$_GET[uid]'";
$db->query($sql);
$tpl->assign("auser",$db->fetchField('user'));
}
//--------------------批量发邮件
$info=$friend->get_batch_friend_info();
$tpl->assign("re",$info);
//--------------------联系人名单
$friendlist=$friend->friends_lists();
$tpl->assign("friendlist",$friendlist);
//==================================
$tpl->assign("config",$config);
$tpl->assign("lang",$lang);
$output=tplfetch("admin_message_sed.htm");
跟踪两个函数
plugin_msg_class.php中
function mail_det($id)
{
global $buid;
$sql="select *,NULL as about from ".FEEDBACK." where id='$id'";
$this->db->query($sql);
$re=$this->db->fetchRow();
if($re['iflook']<1)
{
$sql="update ".FEEDBACK." SET iflook=1 WHERE id='$id'";
$this->db->query($sql);
}

if($re["fromuserid"]&&$re['msgtype']==1)
{//收件箱
$sql="select * from ".ALLUSER." where userid='".$re['fromuserid']."'";
$this->db->query($sql);
$re["fromInfo"]=$this->db->fetchRow();
} //
if($re["touserid"]&&$re['msgtype']==2)
{//发件箱
$sql="select * from ".ALLUSER." where userid='".$re['touserid']."'";
$this->db->query($sql);
$re["fromInfo"]=$this->db->fetchRow();
}
if($re['fromuserid'])
{
$sql="select id from ".FRIENDS." where fuid=$re[fromuserid]";
$this->db->query($sql);
$re["is_myfriend"]=$this->db->fetchField('id');
}

$re['edit_con']='<br><br><br><br><br>//======================================================='.$re['con'];
//显示$re['con']也未过滤
return $re;
}
function friend_msg_batch_send()
{
global $buid,$admin;
if(!empty($_POST['senduser'])&&!empty($_POST['msgcon']))
{
$date=date("Y-m-d H:i:s");
$sear=explode(';',$_POST['senduser']);
if(count($sear)>1)
{
$sear1=array_unique($sear);
$suser="'0'";
foreach($sear1 as $v)
{
$suser.=",'$v'";
}
$sql="select user,email,userid from ".ALLUSER." where user in ($suser)";
}
else
$sql="select user,email,userid from ".ALLUSER." where user ='$_POST[senduser]'";
$this->db->query($sql);
$re=$this->db->getRows();
foreach($re as $v)
{
$sql="insert into ".FEEDBACK." (touserid,fromuserid,fromInfo,sub,con,date,msgtype) VALUES
('$v[userid]','$buid','Business Friends Message','$_POST[msgtitle]','$_POST[msgcon]','$date','1')";
$this->db->query($sql);

$sql="insert into ".FEEDBACK." (touserid,fromuserid,fromInfo,sub,con,date,msgtype) VALUES
('$v[userid]','$buid','Business Friends Message','$_POST[msgtitle]','$_POST[msgcon]','$date','2')";
//$_POST[msgcon]没过滤就插入数据库
$this->db->query($sql);
//-----------------如果是回复邮件标记为已回复
$this->db->query("UPDATE ".FEEDBACK." set iflook='3' where id='$_GET[id]'");

if(!empty($_POST['semail'])&&$v["email"])
{
send_mail($v["email"],$v["name"],$_POST['msgtitle'],$_POST['msgcon']);
}
}
$admin->msg("main.php?m=message&s=admin_message_list_inbox");//发送成功
}
else
$admin->msg("main.php?m=message&s=admin_message_sed&msgsend=error");


第二处

buy_class.php //进入点和输出点都没有过滤导致xss漏洞
这个的影响也较大,只要用户点击求购栏目就会中招
buy=new buy();
if($_GET['ajax']==1)
{
$buy->del_pro_buy($_POST['id']);
die;
}
if(!empty($submit)&&empty($_POST['editID']))
{
//========================================================
$pactidlist=!empty($_POST['catid'])?$_POST['catid']:NULL;
if(!empty($_POST['tcatid']))
$pactidlist.= ",".$_POST['tcatid'];
if(!empty($_POST['scatid']))
$pactidlist.=",".$_POST['scatid'];
if(!empty($_POST['sscatid']))
$pactidlist.=",".$_POST['sscatid'];
$buy->add_user_common_cat($pactidlist);//增加会员常用类别,跟踪一下这个函数
//=======================================================
$buy_id = $buy->add_buy();
if($buy_id)
$admin->msg("main.php?m=buy&s=admin_buy_list");
}
$_POST['editID']*=1;
if($_POST['editID'])
{
$re=$buy->edit_buy();
if($re)
$admin->msg("main.php?m=buy&s=admin_buy_list");
}
if(isset($_GET['edit']))
{
$de = $buy->buy_detail($_GET['edit']);
$pactidlist=$de['catid'];
if(!empty($de['tcatid']))
$pactidlist.=",".$de['tcatid'];
if(!empty($de['scatid']))
$pactidlist.=",".$de['scatid'];
if(!empty($de['sscatid']))
$pactidlist.=",".$de['sscatid'];
$tpl->assign("typenames",$buy->getProTypeName($pactidlist));
$buy->add_user_common_cat($pactidlist);//增加会员常用类别
$tpl->assign("de",$de);
}
buy_class.php
function add_user_common_cat($cid)
{
global $buid;
//-------------------
$cid=explode(",",$cid);
$id=$cid[0];
if(!empty($cid[1]))
$id=$cid[1];
if(!empty($cid[2]))
$id=$cid[2];
if(!empty($cid[3]))
$id=$cid[3];
$sql="select id from ".SHOPSETTING." where company_id='$bcid'";
$this->db->query($sql);
$rec=$this->db->fetchRow();
if($rec['id'])
$sql="update ".SHOPSETTING." set common_cat=REPLACE(common_cat,',$id',''),common_cat=concat(common_cat,',$id') where userid='$buid'";
else
$sql="insert into ".SHOPSETTING." (userid,rec_pro,common_cat) values ('$buid','',',$id')";
//更新rec_pro,common_cat时未过滤
$re=$this->db->query($sql);
}

漏洞证明:

漏洞证明: 官网演示
用户打开信息时触发

跨站脚本1.PNG


用户单击首页上的求购栏目是即可触发

跨站脚本攻击2.PNG

修复方案:

转义

版权声明:转载请注明来源 nextdoor@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-30 14:44

厂商回复:

最新状态:

暂无