Вход

View Full Version : Xss - обход фильтра тегов Php-nuke


Soniks
16.12.2005, 23:01
Продукт: PHP-NUKE

Версия: 7.9 и ниже

Затронуты файлы: mainfile.php

Описание: Имеющийся по стандарту фильтр входящего POST и GET запросов обрабатывает, работает не корректно, и имеется возможность все-таки внедрить вредоносный html код и применить XSS атаку.

Устранение:
Открываем mainfile.php
Находим:

foreach ($_GET as $sec_key => $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue)) ||
(eregi("forum_admin", $sec_key)) ||
(eregi("inside_mod", $sec_key))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) || (eregi("<[^>]script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}

И заменяем на:

foreach ($_GET as $sec_key => $secvalue) {
if((eregi("<[^>]*script*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*onmouseover *\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*body *\"?[^>]*", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue)) ||
(eregi("forum_admin", $sec_key)) ||
(eregi("inside_mod", $sec_key)))
{
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*iframe*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*onmouseover*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]script*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]*body*\"?[^>]*", $secvalue)) ||
(eregi("<[^>]style*\"?[^>]*", $secvalue)))
{
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}