Typecho latest version url jump vulnerability after login
code:
admin > Login.php
public function action()
{
// protect
$this->security->protect();
/** 如果已经登录 */
if ($this->user->hasLogin()) {
/** 直接返回 */
$this->response->redirect($this->options->index);
Typecho first determines whether the user has logged in. If it has already logged in, it directly calls the redirect () function to redirect to the home page. This jump is mainly used to determine the user's status.
typecho首先判断用户是否已经登录,如果已经登录,则直接调用redirect()函数重定向至首页,这个跳转主要用于判断用户的状态。
If there is no login, first verify whether the user's identity is correct, if the address of the referer is not empty, then call the redirect () function to redirect through the referer parameter, the referer parameter can be controlled
如果没有登录,则首先校验用户的身份是否正确,如果referer的地址不为空,则调用redirect()函数通过referer的参数进行重定向,referer参数可控
Follow up: redirect () function, which defines two parameters, of which the default is not permanent redirect
跟进:redirect()函数,该函数定义了两个参数,其中默认不为永久重定向
After the referer's address is passed to the redirect () function, it will first call Typecho_Common> static method safeUrl () to check the url, and finally determine whether to use permanent or temporary redirection according to the status of isPermanently
referer的地址传递到redirect()函数中以后,首先会调用Typecho_Common > 静态方法safeUrl()对url进行检查,最后根据isPermanently的状态,判断使用永久重定向还是临时重定向
Use safe_rl to replace string in str_replace (), replace all characters in array () list with empty string, and then parse the address of referer by calling parse_url () function: scheme, host, port, path, etc Array to $ params variable
Next, determine whether the protocol name is empty. If the source address is not the URL of the http protocol and https protocol, return the "/" path directly
safeUrl内使用str_replace()进行字符串替换,将array()列表中的所有字符替换为空字符串,然后通过调用parse_url()函数对referer的地址进行解析:scheme,host,port,path等返回一个数组到$params变量
接着判断,协议名称是否为空,如果来源地址不是http协议与https协议的url则直接返回 “/”路径
1. 该问题的重现步骤是什么?
Typecho latest version url jump vulnerability after login
code:
Typecho first determines whether the user has logged in. If it has already logged in, it directly calls the redirect () function to redirect to the home page. This jump is mainly used to determine the user's status.
typecho首先判断用户是否已经登录,如果已经登录,则直接调用redirect()函数重定向至首页,这个跳转主要用于判断用户的状态。
If there is no login, first verify whether the user's identity is correct, if the address of the referer is not empty, then call the redirect () function to redirect through the referer parameter, the referer parameter can be controlled
如果没有登录,则首先校验用户的身份是否正确,如果referer的地址不为空,则调用redirect()函数通过referer的参数进行重定向,referer参数可控
Follow up: redirect () function, which defines two parameters, of which the default is not permanent redirect
跟进:redirect()函数,该函数定义了两个参数,其中默认不为永久重定向
After the referer's address is passed to the redirect () function, it will first call Typecho_Common> static method safeUrl () to check the url, and finally determine whether to use permanent or temporary redirection according to the status of isPermanently
referer的地址传递到redirect()函数中以后,首先会调用Typecho_Common > 静态方法safeUrl()对url进行检查,最后根据isPermanently的状态,判断使用永久重定向还是临时重定向
Follow up: /var/Typecho/Common.php
跟进:/var/Typecho/Common.php
Use safe_rl to replace string in str_replace (), replace all characters in array () list with empty string, and then parse the address of referer by calling parse_url () function: scheme, host, port, path, etc Array to $ params variable
Next, determine whether the protocol name is empty. If the source address is not the URL of the http protocol and https protocol, return the "/" path directly
safeUrl内使用str_replace()进行字符串替换,将array()列表中的所有字符替换为空字符串,然后通过调用parse_url()函数对referer的地址进行解析:scheme,host,port,path等返回一个数组到$params变量
接着判断,协议名称是否为空,如果来源地址不是http协议与https协议的url则直接返回 “/”路径
The formatted URLs are recombined and finally returned
格式化以后的url进行重新组合,最后返回
poc:
登录前:


登录后跳转:
response:
2. 你期待的结果是什么?实际看到的又是什么?
1.typecho首先判断用户登录状态
2.如果已经登录则返回主页
3.如果没有登录则先判断用户帐号密码是否正确,然后判断referer的来源是否为空
4.如果不为空则调用redirect()函数进行重定向,location参数可控,即用户的referer的请求来源,恶意的攻击者可利用登录后的重定向将用户引诱至一个恶意的钓鱼页面。并且可以通过注册相似域名提高信任度,只需要将注册好的域名安装typecho,将用户重定向至自己本域的登录地址,然后通过查看本地的登录日志即可获取其他管理用户的帐号密码。
5.rediect() > Typecho_Common::safeUrl()函数对referer的参数进行过滤及校验协议是否为http/https
6.rediect() > self::buildUrl()函数根据parse_url的结果重新组合url
7.redirect()根据isPermanently参数进行301/302跳转
修复方案:
1.校验用户登录以后的referer地址为本域
2.并且只允许本域内进行跳转
3. 问题出现的环境
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.10, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.3.10-1+b1, Copyright (c) 1999-2018, by Zend Technologies
[//]: # (如有图片请附上截图)
The text was updated successfully, but these errors were encountered: