[转载]CubeCart3.0.3跨站脚本攻击漏洞以及测试方法
原始连接:[url]http://bugs.cubecart.com/?do=details&id=363[/url]Vendor url: [url]www.cubecart.com[/url]
bug report:[url]http://bugs.cubecart.com/?do=details&id=363[/url]
Advisore:[url]http://lostmon.blogspot.com/2005/09/[/url]
cubecart-303-multiple-variable-cross.html
vendor confirmed: yes exploit avalable: yes
Fix available: yes
CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate some
variables upon submission to cart.php and index.php script
scripts.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss of
integrity.
###############
VERSIONS
###############
CubeCart?3.0.3 vulnerable
CubeCart?3.0.4 not vulnerable
#################
Timeline
#################
Discovered: 24 sep 2005
vendor notify: 24 sep 2005
Vendor response:26 sep 2005
Solution: 28 sep 2005
###############
Examples:
###############
[url]http://victim[/url]]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0U
lM0NzY3JpcHQlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZXdDYXQmYW1wO1N1Ym1pdD1Hbw==[XSS-COD
E]
http://[victim]/cc3/cart.php?act=reg&redir=[XSS-CODE]
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&
act=viewCat&Submit=Go
http://[victim]cc3/index.php?act=login&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFt
cDtkb2NJZD0x[XSS-CODE]
#############
SOLUTION
#############
################################################
MANUAL FIX
################################################
///////////////////////////////////////
// 1. Open: /includes/content/reg.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 123:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$redir = base64_decode($_GET['redir']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$redir = base64_decode(treatGet($_GET['redir']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 170:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$reg->assign("VAL_ACTION","cart.php?act=reg&redir=".$_GET['redir']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$reg->assign("VAL_ACTION","cart.php?act=reg&redir=".treatGet($_GET['re
dir']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 2. Open: /includes/content/login.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 55:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
header("Location: ".str_replace("&","&",base64_decode($_GET
['redir'])));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
header("Location:
".str_replace("&","&",base64_decode(treatGet($_GET['redir']))));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 74:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$login->assign("VAL_SELF",$_GET['redir']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$login->assign("VAL_SELF",treatGet($_GET['redir']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 3. Open: /includes/boxes/searchForm.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 40:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$box_content->assign("SEARCHSTR",$_GET['searchStr']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$box_content->assign("SEARCHSTR",treatGet($_GET['searchStr']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 4. Open: /includes/content/viewCat.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$searchwords = split ( "[ ,]", $_GET['searchStr']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$searchwords = split ( "[ ,]", treatGet($_GET['searchStr']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 308:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']."
".$_GET['searchStr']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']."
".treatGet($_GET['searchStr']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 5. Open: /includes/functions.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 25 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| functions.inc.php
| ========================================
| Core Frontend Functions
+--------------------------------------------------------------------------
*/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Directly under this add:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){
$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text"
);
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","
\\"), "", $text);
return $text;
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 384 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function currentPage(){
$currentPage = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$currentPage .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
return $currentPage;
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace this with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function currentPage(){
$currentPage = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$currentPage .= "?" . htmlentities(treatGet($_SERVER['QUERY_STRING']));
}
return $currentPage;
}
///////////////////////////////////////
// 6. Open: /includes/ini.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ini['ver'] = '3.0.3';
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ini['ver'] = '3.0.4';
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// end of manual fix :O)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##################### nd ########################
Thnx to estrella to be my ligth
Thnx to all manglers of [url]http://www.osvdb.org[/url]
--
atentamente:
Lostmon ([email]lostmon@gmail.com[/email])
Web-Blog: [url]http://lostmon.blogspot.com/[/url]
--
La curiosidad es lo que hace mover la mente....
页:
[1]