RXGoogle.CGI跨站脚本攻击漏洞

The following patch has been submitted by a third party and is untested: ----START --- rxgoogle.cgi 2004-02-04 14:20:38.000000000 -0500 +++ test 2004-02-04 14:27:29.000000000 -0500 @@ -197,7 +197,13 @@ my $req = new HTTP::Request GET => "$url"; my $res = $ua->request($req); if ($res->is_success) { $page_returned = $res->content; } return $page_returned;} -sub parse{my (@pairs, %in);my (@pairs, %in);my ($buffer, $pair, $name, $value);if ($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs = split(/&/, $ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq 'POST') {read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});@pairs = split(/&/, $buffer);}PAIR: foreach $pair (@pairs) {($name, $value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;$value =~ tr/+/ /;$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;($value eq "---") and next PAIR;exists $in{$name} ? ($in{$name} .= "~~$value") : ($in{$name} = $value);}return %in;} + +# This parsing routine poorly sanitized user-input, thus allowing injection +# of metametachars, such as ''. I have patched the problem now, by +# filtering input quite well now. +# +# -Shaun2k2 +sub parse{$OK_CHARS='-a-zA-Z0-9_.@'; my (@pairs, %in);my (@pairs, %in);my ($buffer, $pair, $name, $value);if ($ENV{'REQUEST_METHOD'} eq 'GET') {@pairs = split(/&/, $ENV{'QUERY_STRING'});}elsif($ENV{'REQUEST_METHOD'} eq 'POST') {read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});@pairs = split(/&/, $buffer);}PAIR: foreach $pair (@pairs) {($name, $value) = split(/=/, $pair);$name =~ tr/+/ /;$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;$name =~ s/[^$OK_CHARS]/_/go;$value =~ tr/+/ /;$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;$value =~ s/[^$OK_CHARS]/_/go;($value eq "---") and next PAIR;exists $in{$name} ? ($in{$name} .= "~~$value") : ($in{$name} = $value);}return %in;} sub html_navbar{my ($maxhits,$current,$numhits,$url)=0;my ($html, $nh, $prev_hit, $next_hit, $left, $right, $first, $last, $lower, $upper)="";$maxhits =shift; $numhits =shift; $current =shift; $url =shift; $nh=int($current/$maxhits)+1; $prev_hit=$nh-1; $next_hit=$nh+1; if (($current + $maxhits) >= $numhits) {$next_hit=0;}if ($numhits > $maxhits) { $left = $nh; $right = int($numhits/$maxhits) - $nh; ($left > 7) ? ($lower = $left - 7) : ($lower = 1); ($right > 7) ? ($upper = $nh + 7) : ($upper = int($numhits/$maxhits) + 1); (7 - $nh >= 0) and ($upper = $upper + (8 - $nh)); ($nh > ($numhits/$maxhits - 7)) and ($lower = $lower - ($nh - int($numhits/$maxhits - 7) - 1)); $html = ""; ($nh > 1) and ($html .= qq~[previous] ~); for ($i = 1; $i $upper) { $html .= " ... "; last; } ($i == $nh) ? ($html .= qq~$i ~) : ($html .= qq~$i ~); (($i * $maxhits) >= $numhits) and last; }if ($next_hit) { $html .= qq~[next] ~ unless ($nh == $i); } }return $html;} 1; @@ -224,4 +230,4 @@ print WRITEIT "$site\n"; close(WRITEIT); } - \ No newline at end of file + ---END Apply the patch as below: $ patch rxgoogle.cgi rxgoogle-xss.patch

来源: BUGTRAQ 名称: 20040204 rxgoogle.cgi XSS Vulnerability. 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107594183924958&w=2 来源: XF 名称: rxgoogle-query-xss(15043) 链接:http://xforce.iss.net/xforce/xfdb/15043 来源: BID 名称: 9575 链接:http://www.securityfocus.com/bid/9575