当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-085588

漏洞标题:uhome 设计接口缺陷 通篇xss 和一处存储型xss

相关厂商:Discuz!

漏洞作者: menmen519

提交时间:2014-12-07 19:13

修复时间:2015-01-13 19:14

公开时间:2015-01-13 19:14

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-07: 细节已通知厂商并且等待厂商处理中
2014-12-12: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-02-05: 细节向核心白帽子及相关领域专家公开
2015-02-15: 细节向普通白帽子公开
2015-02-25: 细节向实习白帽子公开
2015-01-13: 细节向公众公开

简要描述:

uhome 设计接口缺陷 通篇xss 和一处存储型xss

详细说明:

我下载了集成包:
UCenter1.5.1/UCHome2.0/Discuz!7.2 集成安装包
直接看代码:
admincp_doing.php:

if(submitcheck('batchsubmit')) {
include_once(S_ROOT.'./source/function_delete.php');
if(!empty($_POST['ids']) && deletedoings($_POST['ids'])) {
cpmessage('do_success', $_POST['mpurl']);
} else {
cpmessage('choose_to_delete_events', $_POST['mpurl']);
}
}


跟进去这个函数:
cpmessage('do_success', $_POST['mpurl']);

function cpmessage($msgkey, $url_forward='', $second=1, $values=array()) {
global $_SGLOBAL, $_SC, $_SCONFIG, $_TPL, $_SN, $space;

//去掉广告
$_SGLOBAL['ad'] = array();
include_once(S_ROOT.'./language/lang_cpmessage.php');
if(isset($_SGLOBAL['cplang'][$msgkey])) {
$message = lang_replace($_SGLOBAL['cplang'][$msgkey], $values);
} else {
$message = $msgkey;
}

//显示
obclean();

//菜单激活
$menuactive = array('index' => ' class="active"');

if(!empty($url_forward)) {
$second = $second * 1000;
$message .= "<script>setTimeout(\"window.location.href ='$url_forward';\", $second);</script>";
}
include template('admin/tpl/message');
exit();
}


没有经过任何过滤直接到了:
$message .= "<script>setTimeout(\"window.location.href ='$url_forward';\", $second);</script>";
发送url:
http://localhost/dz72/upload/home/admincp.php?ac=feed
postdata:
formhash=120f00ad&ids[]=10&mpurl=javascript:alert(1)&deletesubmit=æ‰¹é‡åˆ é™¤

1.png


我们搜索一下:

2.png


下来我们看存储型xss:

3.png


然后javascript:alert(document.cookie)/aaa.swf

4.png


5.png


我们分析一下代码:
cp_thread.php:

if(strlen($subject) < 2) showmessage('title_not_too_little');

$_POST['message'] = checkhtml($_POST['message']);
$_POST['message'] = getstr($_POST['message'], 0, 1, 0, 1, 0, 1);
$_POST['message'] = preg_replace("/\<div\>\<\/div\>/i", '', $_POST['message']);
$message = $_POST['message'];


跟进函数checkhtml
function_blog.php:

function checkhtml($html) {
$html = stripslashes($html);
if(!checkperm('allowhtml')) {

preg_match_all("/\<([^\<]+)\>/is", $html, $ms);
$searchs[] = '<';
$replaces[] = '<';
$searchs[] = '>';
$replaces[] = '>';

if($ms[1]) {
$allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|object|param|embed';//允许的标签
$ms[1] = array_unique($ms[1]);
foreach ($ms[1] as $value) {
$searchs[] = "<".$value.">";
$value = shtmlspecialchars($value);
$value = str_replace(array('\\','/*'), array('.','/.'), $value);
$value = preg_replace(array("/(javascript|script|eval|behaviour|expression)/i", "/(\s+|"|')on/i"), array('.', ' .'), $value);
if(!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) {
$value = '';
}
$replaces[] = empty($value)?'':"<".str_replace('"', '"', $value).">";
}
}
$html = str_replace($searchs, $replaces, $html);
}
$html = addslashes($html);

return $html;
}
//视频标签处理
function blog_bbcode($message) {
$message = preg_replace("/\[flash\=?(media|real)*\](.+?)\[\/flash\]/ie", "blog_flash('\\2', '\\1')", $message);
return $message;
}
//视频
function blog_flash($swf_url, $type='') {
$width = '520';
$height = '390';
if ($type == 'media') {
$html = '<object classid="clsid:6bf52a52-394a-11d3-b153-00c04f79faa6" width="'.$width.'" height="'.$height.'">
<param name="autostart" value="0">
<param name="url" value="'.$swf_url.'">
<embed autostart="false" src="'.$swf_url.'" type="video/x-ms-wmv" width="'.$width.'" height="'.$height.'" controls="imagewindow" console="cons"></embed>
</object>';
} elseif ($type == 'real') {
$html = '<object classid="clsid:cfcdaa03-8be4-11cf-b84b-0020afbbccfa" width="'.$width.'" height="'.$height.'">
<param name="autostart" value="0">
<param name="src" value="'.$swf_url.'">
<param name="controls" value="Imagewindow,controlpanel">
<param name="console" value="cons">
<embed autostart="false" src="'.$swf_url.'" type="audio/x-pn-realaudio-plugin" width="'.$width.'" height="'.$height.'" controls="controlpanel" console="cons"></embed>
</object>';
} else {
$html = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="'.$width.'" height="'.$height.'">
<param name="movie" value="'.$swf_url.'">
<param name="allowscriptaccess" value="always">
<embed src="'.$swf_url.'" type="application/x-shockwave-flash" width="'.$width.'" height="'.$height.'" allowfullscreen="true" allowscriptaccess="always"></embed>
</object>';
}
return $html;
}


最终流入到了blog_flash函数里面,这里就不用说了 allowscriptaccess 这个还是always
修复方案:

漏洞证明:

修复方案:

版权声明:转载请注明来源 menmen519@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-01-13 19:14

厂商回复:

最新状态:

暂无