PHPOK过滤不当存在储存型xss漏洞

2015-01-16T00:00:00
ID SSV:94632
Type seebug
Reporter Root
Modified 2015-01-16T00:00:00

Description

简要描述:

论坛bbs发帖那里。 版本:phpok4.2.100

详细说明:

init.php

function safe_html($info) { if(!$info) { return false; } $tmp = "/<([a-zA-Z0-9]+)(.*)(on[abort|beforeonload|blur|change|click|contextmenu|dblclick|drag|dragend|dragenter|dragleave|dragstart|drop|error|focus|keydown|keypress|keyup|load|message|mousedown|mousemove|mouseover|mouseout|mouseup|mousewheel|reset|resize|scroll|select|submit|unload]+)=(.+)>/isU"; $info = preg_replace($tmp,"<\\1\\2\\4>",$info); //$info = preg_replace("/<([a-zA-Z0-9]+)(.*)([onabort|onbeforeonload|onblur|onchange|onclick|oncontextmenu|ondblclick|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onfocus|onkeydown|onkeypress|onkeyup|onload|onmessage|onmousedown|onmousemove|onmouseover|onmouseout|onmouseup|onmousewheel|onreset|onresize|onscroll|onselect|onsubmit|onunload]+)\s*=\s*(.+)>/isU","<\\1\\3>",$info); $tmp = array("/<script(.*)<\/script>/isU","/<frame(.*)>/isU","/<\/fram(.*)>/isU","/<iframe(.*)>/isU","/<\/ifram(.*)>/isU","/<style(.*)<\/style>/isU","/<link(.*)>/isU","/<\/link>/isU"); $info = preg_replace($tmp,'',$info); $array = array("src='".$this->url,'src="'.$this->url,"src=".$this->url); $new = array("src='",'src="',"src="); $info = str_replace($array,$new,$info); return $info; }

虽然过滤了所有的Events 但是没考虑<img>标签的src 属性支持javascript指令 过程验证:

<img src="https://images.seebug.org/upload/201501/141537251a9b4d548467df5697937957349d288a.png" alt="QQ截图20150114153659.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201501/14153803257b92a375e45630bcf42067eeb6884d.png" alt="QQ截图20150114153746.png" width="600" onerror="javascript:errimg(this);">

发表以后

<img src="https://images.seebug.org/upload/201501/141538581d67695782692a4e945cb10c495b0f53.png" alt="QQ截图20150114153847.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

<img src="https://images.seebug.org/upload/201501/141538581d67695782692a4e945cb10c495b0f53.png" alt="QQ截图20150114153847.png" width="600" onerror="javascript:errimg(this);">