Description
在Discuz! 任意版本中存在以下页面:
/templates/default/attachpay.htm
/templates/default/ec_rate.htm
/templates/default/register.htm
这些页面都包含$referer输出代码: <input type="hidden" name="referer" value="$referer" />
当$referer 中含有恶意代码时,这些页面及被其嵌套的php页面会产生跨站漏洞。
Discuz! 7.X
Discuz! 6.X
Discuz! 5.X
Discuz!NT 3.X
其他版本可能也存在此问题。任何对referer进行赋值并输出的网站程序都存在该弱点。
等待官方补丁
{"href": "https://www.seebug.org/vuldb/ssvid-19341", "status": "poc,details", "bulletinFamily": "exploit", "modified": "2010-03-25T00:00:00", "title": "Discuz! "$referer"\u8f93\u51fa\u503c\u8de8\u7ad9\u6f0f\u6d1e", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-19341", "cvelist": [], "description": "\u5728Discuz! \u4efb\u610f\u7248\u672c\u4e2d\u5b58\u5728\u4ee5\u4e0b\u9875\u9762\uff1a\r\n\r\n/templates/default/attachpay.htm\r\n/templates/default/ec_rate.htm\r\n/templates/default/register.htm\r\n\r\n\r\n\u8fd9\u4e9b\u9875\u9762\u90fd\u5305\u542b$referer\u8f93\u51fa\u4ee3\u7801\uff1a <input type="hidden" name="referer" value="$referer" />\r\n\r\n\u5f53$referer \u4e2d\u542b\u6709\u6076\u610f\u4ee3\u7801\u65f6\uff0c\u8fd9\u4e9b\u9875\u9762\u53ca\u88ab\u5176\u5d4c\u5957\u7684php\u9875\u9762\u4f1a\u4ea7\u751f\u8de8\u7ad9\u6f0f\u6d1e\u3002\n\nDiscuz! 7.X\r\nDiscuz! 6.X\r\nDiscuz! 5.X\r\nDiscuz!NT 3.X\r\n\r\n\u5176\u4ed6\u7248\u672c\u53ef\u80fd\u4e5f\u5b58\u5728\u6b64\u95ee\u9898\u3002\u4efb\u4f55\u5bf9referer\u8fdb\u884c\u8d4b\u503c\u5e76\u8f93\u51fa\u7684\u7f51\u7ad9\u7a0b\u5e8f\u90fd\u5b58\u5728\u8be5\u5f31\u70b9\u3002\n\u7b49\u5f85\u5b98\u65b9\u8865\u4e01", "viewCount": 8, "published": "2010-03-25T00:00:00", "sourceData": "\n \u4ee5register.htm \u4e3a\u4f8b\uff1a\r\n\r\n\u8bbf\u95ee\u8005\u8bbf\u95ee\u67d0URL\uff0c\u7136\u540e\u70b9\u51fb\u201c\u6ce8\u518c\u201d\u6309\u94ae\uff0c \u8be5URL\u88ab\u8d4b\u503c\u7ed9 $referer \u51fd\u6570\uff0c\u7136\u540e register.htm \u4f1a\u5c06$referer\u8f93\u51fa\uff0c\u6b64\u65f6\u7528\u6237\u6253\u5f00\u7684\u6ce8\u518c\u9875\u9762 register.php \u4e2d\u4e5f\u4f1a\u5305\u542b $referer \u503c\u3002\r\n\r\n\u6240\u4ee5\uff0c\u65e0\u8bba\u8be5URL\u662f\u52a8\u6001\u9875\u9762\u8fd8\u662f\u9759\u6001\u9875\u9762\uff0c\u65e0\u8bba\u5b83\u662f\u5426\u542b\u6709\u8de8\u7ad9\u6f0f\u6d1e\uff0c\u53ea\u8981\u8fd9\u4e2aURL\u5730\u5740\u53ef\u4ee5\u5305\u542b\u8de8\u7ad9\u4ee3\u7801\uff0c\u8de8\u7ad9\u5c31\u53ef\u80fd\u53d1\u751f\u3002\r\n\r\n\r\n\u653b\u51fb\u8005\u6784\u9020\u542b\u6709\u7279\u6b8a\u4ee3\u7801\u7684URL\uff0c\u4ee5Discuz! 7.0\u4e3a\u4f8b\uff0c\u5982\uff1ahttp://www.example.com/viewthread.php?tid=<script>alert(/liscker/);</script> \uff0c\u7528\u6237\u8bbf\u95ee\u8be5URL\uff0c\u7136\u540e\u70b9\u51fb\u201c\u6ce8\u518c\u201d\u6309\u94ae\uff0c\u8bbf\u95eeregister.php\uff0c\u6b64\u65f6\u53d1\u751f\u8de8\u7ad9\uff0c\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002\r\n\r\n\r\nattachpay.htm\u3001ec_rate.htm\u539f\u7406\u4e0eregister.htm\u539f\u7406\u76f8\u540c\u3002\n ", "id": "SSV:19341", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T18:17:39", "reporter": "Root", "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645444737, "score": 1659785532}}
{}
Discuz! "$referer"输出值跨站漏洞