1 Star 0 Fork 0

wgd0ay / wgd0ay

 / 详情

The/member/index/login. HTML in YzmCMS v7.0 and below allows any URL jump by constructing the referer = parameter.

Backlog
owner
Opened this issue  
2024-01-17 10:20

The/member/index/login. HTML in YzmCMS v7.0 and below allows any URL jump by constructing the referer = parameter.

Vulnerability parameters
By downloading:https://github.com/yzmcms/yzmcms? Perform the installation
Vulnerability path:/member/index/login. HTML.
Vulnerability parameters:? referer=http%3A%2F%2Fwww.google.com%2F
输入图片说明
The referer can be any website, and the attacker can use it to make any URL jump.

Vulnerability recurrence
Victim Access, Site http://127.0.0.1/member/index/login.html?referer=http%3A%2F%2Fwww.google.com%2F
输入图片说明
When the user logs in, jump directly to the constructed website.
输入图片说明
输入图片说明
Vulnerability hazard

  1. Malicious jump: Malicious attackers can use the vulnerability to construct specific URLs to direct users to malicious sites. This may involve phishing attacks, malware distribution, or other malicious activity.
  2. Social engineering attack: An attacker may use a jump vulnerability to masquerade as a legitimate site and trick users into providing sensitive information, such as usernames, passwords, credit card information, and so on. This is a form of social engineering attack.
  3. Page hijacking: Attackers can use jump vulnerabilities to hijack web pages, display false information or malicious content, and deceive users.
  4. Malware propagation: Malicious sites may exploit the jump vulnerability to spread malware and infect users' devices.
  5. SEO manipulation: Attackers may try to influence search engine results through jump vulnerabilities to improve their site's ranking or to trick search engine algorithms.
  6. Brand damage: If an attacker successfully masquerades as a legitimate site and conducts malicious activity, it could result in a loss of trust in the victim company or brand.
  7. Legal liability: If a vulnerability leads to the disclosure of user data or other security issues, the company may face legal liability, including violations of data protection regulations.
    Code analysis
    输入图片说明
    There is unvalidated user input at line 233: An attempt was made to supply a malicious $referer value when calling the URL _ referer function, such as $referer = 'http://www.google.com'.
    Repair recommendations
    To fix potential vulnerabilities and improve the security of your code, here are some suggestions and examples of code fixes:
    User input validation and processing:
    When processing user input, it should be validated and filtered to prevent potential security breaches. Here, verify $referer as appropriate to make sure it's a legitimate URL.
/**
 * member login/logout jump URL
 * @ param $is _ login 1 login, 0 exit
 * @ param string $referer URL of the reference page
 * @ return string generated jump URL
 */
function url_referer($is_login = 1, $referer = ''){
  //Validate and filter user input
  $referer = $referer ? validate_and_filter_url($referer) : validate_and_filter_url(get_url());
  $url = $is_login ? U('member/index/login') : U('member/index/logout');
  if(URL_MODEL) return $url.'?referer='.$referer;
  return $url.'&referer='.$referer;
}

//New function to validate and filter URL
function validate_and_filter_url($url) {
  //Do proper validation and filtering here to make sure that $URL is a legitimate URL
  //For example, you can use the filter _ var function
  return filter_var($url, FILTER_VALIDATE_URL) ? urlencode($url) : '';
}

Comments (0)

wgd0ay created任务

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(1)
HTML/CSS
1
https://gitee.com/wgd0ay/wgd0ay.git
git@gitee.com:wgd0ay/wgd0ay.git
wgd0ay
wgd0ay
wgd0ay

Search

53164aa7 5694891 3bd8fe86 5694891