Be alert for Third Party Content attacks

Author:SuperHei

"For web applications, many programs directly use Third Party Content in the program to implement some functions, such as program upgrade/reminder, and advertisements, so when the official website is hacked, the users who basically use your program will be xx, which may become a vul like crsf in the future? "

The above text is referenced in a previous blog:Http://hi.baidu.com/hi_heige/blog/item/2700f9f93bc2d209d9f9fdbe.htmlI did not expect that the actual example will be available today. Today, n-plus dz forums are hung up with "Hacked by ring04h, just for fun! ", Causing a great dealFollowAt first, we thought that the dz program had a very serious vulnerability, but when the official statement came out, it turned out to be "Discuz! The server domain name is hijacked "....

In fact, I think this problem should be classified as the program's vul [and crsf]. In addition to this problem, ring04h has also used other vulnerabilities.

First Third Party Content

Discuz! _ 5.5.0 _ SC _GBKuploadadminglobal.func.php directly calls a third-party js:

00436: $ posts = $ db-> result ($ db-> query ("select count (*) FROM {$ tablepre} posts"), 0 );
00437: $ msns = $ db-> result ($ db-> query ("select count (*) FROM {$ tablepre} memberfields WHERE msn! = "), 0 );
00438: echo <script language = "JavaScript" src = "http://customer.discuz.net/news.php? Version =. rawurlencode (DISCUZ_VERSION ). & amp; release =. rawurlencode (DISCUZ_RELEASE ). & php =. PHP_VERSION. & amp; mysql =. $ dbversion. & charset =. rawurlencode ($ charset ). & bbname =. rawurlencode ($ bbname ). & members =. $ members. & threads =. $ threads. & amp; posts =. $ posts. & amp; msn =. $ msns. & md5hash =. md5 (preg_replace ("/http ://(. + ?) /. */I "," \ 1 ", $ _ SERVER [HTTP_REFERER]). $ _ SERVER [HTTP_USER_AGENT]. DISCUZ_VERSION.DISCUZ_RELEASE. $ bbname. $ members. $ threads. $ posts ). "> </script>;

Script tag used directly.

The second variable lacks filtering.

I remember ms's famous saying: "All input is harmful." But in the era of web, attentionSecure programmersIt is not enough. We should add another sentence:

"All outputs are harmful"

The playload in the ring04h attack code is actually a problem where Javascript is inserted in the background, and the output of this value is not filtered at the front end, resulting in the xss again, specific Code:

<Script> function init () {document. write (Hacked by ring04h, just for fun !);} Window. onload = init; </script>

Ring04h is still relatively thick, just write a sentence, if you give him a trojan don't know how many PCs to die...
Let's summarize the attack process:

1. The ring04h mer.discuz.net is under control [this is not the case. Is it a Domain Name Hijacking or other methods! :)]
2.Construct your own js[Insert js to modify the home page using ajax technology in combination with the preceding variable output non-filtering problem]
3. Wait for the Administrator to log on to the background and execute the constructed js
Some tips:

1. What if Third Party Content is not directly used in the dz code, or is it used to filter Third Party Content?
2. What if customer.discuz.net is safe enough?
3. What if I strictly filter all input and output variables?
This is too difficult for 2. It also involves the cost and profit of an attack. If the attacker is driven by commercial interests, even if he blackmailed your three-party content host at a higher cost, it would also be worth it, because once he succeeds, he can control all of your guests .. [It is estimated that major official host upgrades may be the target of hackers in the future]

3rd many programmers do not know how to filter variables, especially the output.

So for developers, 1st are the most convenient and effective methods? However, we also need to pay attention to the cultivation of security awareness of programmers.

Point 8:

1. why are so many sodb vulnerabilities not noticed this time?
2. dz competitors did not miss this opportunity, but they did not know that they actually had the same problem with their own program hosts: [think about yourself when you are busy or cool!]
3. The human flesh search: http://18dao.jamesqi.com/index.php? Title = Ring04h % E5 % 9F % 9F % E5 % 90% 8D & variant = zh-tw

Finally, I would like to thank ring04h for providing us with such a good example and sharing his demonstration of the test process thx.