반응형

ref

배경

  • phpMyFAQ - Open Source FAQ web application for PHP 7+ and MySQL, PostgreSQL and other databases
  • phpMyFAQ 는 사용자를 대상으로 하는 FAQ 어플리케이션이다.
  • sprintf 로 화면에 표시할때 태그를 포함한 데이터를 입력 가능하다.

분석

//phpmyfaq/ajaxservice.php
->setType($type)
->setUsername($username)
->setEmail($mailer)
**->setComment(nl2br($comment))**
->setDate($_SERVER['REQUEST_TIME']);
  • 화면에 표시되는 코드는 다음과 같다.
//phpmyfaq/src/phpMyFAQ/Comments.php
						$output .= sprintf(
                '<strong><a href="mailto:%s">%s</a></strong>',
                $mail->safeEmail($item->getEmail()),
                $item->getUsername()
            );
            $output .= sprintf(' <span class="text-muted">(%s)</span>', $date->format($item->getDate()));
            $output .= '     </div>';위의ㅇㅇㅇㅇ
  • 위의 코드는 strip_tags를 이용하여 태그를 제거하는 방식으로 수정되었다.
//phpmyfaq/ajaxservice.php
->setType($type)
->setUsername($username)
->setEmail($mailer)
**->setComment(nl2br(strip_tags($comment)))**
->setDate($_SERVER['REQUEST_TIME']);
  • Strings::htmlentities 는 적용가능한 모든 html을 entity로 변환한다.
						$output .= sprintf(
                '<strong><a href="mailto:%s">%s</a></strong>',
                $mail->safeEmail($item->getEmail()),
                Strings::htmlentities($item->getUsername())
            );
            $output .= sprintf(' <span class="text-muted">(%s)</span>', $date->format($item->getDate()));
            $output .= '     </div>';


<?php
$str = "A 'quote' is <b>bold</b>";

// 출력: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str);

// 출력: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str, ENT_QUOTES);
?>
  • sprintf를 사용하여 데이터를 저장 후 변수로 전달한다면 그 전에 화면에 표현이 되는 데이터에 대해 어떤 데이터를 허용할지 검토를 해야한다.

테스트

  • 테스트 환경 phpMyFAQ 3.1.11 설치하고 초기 설정을 완료 한다.
  • FaQ입력 창에 html 태그를 입력한다.

  • html이 적용되어 화면에 보인다.

패치 방법

  • 패치 제공 phpMyFAQ ≥ 3.1.12 이상을 설치한다.
반응형

'Hacking > CVE Report' 카테고리의 다른 글

[CVE-2020-8772] InfiniteWP Client < 1.9.4.5  (2) 2023.10.20
[CVE-2022-47607]Usersnap <= 4.16 - Authenticated (Admin+) Stored Cross Site Scripting  (0) 2023.03.31
[CVE-2023-1308] Online Graduate Tracer System sql injection  (0) 2023.03.18
[CVE-2023-24657] pipipam v1.5 reflected cross-site scripting (XSS)  (0) 2023.03.16
[CVE-2023-27985] RCE using bad deserialization in builderio/qwik  (0) 2023.03.14
반응형
datetime subject id link
2023-04-18 00:00:21.949027 (PHP) CVE-2023-1948 https://cve.report/CVE-2023-1948
2023-04-18 00:00:21.950985 (XSS) CVE-2023-28993 https://cve.report/CVE-2023-28993
2023-04-18 00:00:21.952440 (XSS) CVE-2023-25024 https://cve.report/CVE-2023-25024
2023-04-18 00:00:21.953851 (XSS) CVE-2023-25023 https://cve.report/CVE-2023-25023
2023-04-18 00:00:21.956604 (Execute Arbitrary code) CVE-2023-30770 https://cve.report/CVE-2023-30770
2023-04-18 00:00:22.035140 (XSS) CVE-2023-29508 https://cve.report/CVE-2023-29508
2023-04-18 00:00:22.040595 (Remote Code Execution) CVE-2023-29207 https://cve.report/CVE-2023-29207
2023-04-18 00:00:22.042497 (XSS) CVE-2023-29205 https://cve.report/CVE-2023-29205
2023-04-18 00:00:22.050820 (Remote Code Execution, XSS) CVE-2023-29202 https://cve.report/CVE-2023-29202
2023-04-18 00:00:22.052993 (SQL injection) CVE-2023-27610 https://cve.report/CVE-2023-27610
2023-04-18 00:00:22.054392 (Grafana) CVE-2023-24831 https://cve.report/CVE-2023-24831
2023-04-18 00:00:22.056825 (GitHub, XSS) CVE-2023-2109 https://cve.report/CVE-2023-2109
2023-04-18 00:00:22.058587 (SQL injection, Critical) CVE-2023-2107 https://cve.report/CVE-2023-2107
2023-04-18 00:00:22.060009 (GitHub) CVE-2023-2106 https://cve.report/CVE-2023-2106
2023-04-18 00:00:22.061365 (GitHub) CVE-2023-2105 https://cve.report/CVE-2023-2105
2023-04-18 00:00:22.133016 (GitHub) CVE-2023-2104 https://cve.report/CVE-2023-2104
2023-04-18 00:00:22.134441 (GitHub, XSS) CVE-2023-2103 https://cve.report/CVE-2023-2103
2023-04-18 00:00:22.136093 (GitHub, XSS) CVE-2023-2102 https://cve.report/CVE-2023-2102
2023-04-18 00:00:22.137516 (Path Traversal) CVE-2023-2101 https://cve.report/CVE-2023-2101
2023-04-18 00:00:22.142297 (Command Injection, Critical) CVE-2023-2091 https://cve.report/CVE-2023-2091
2023-04-18 00:00:22.144503 (WordPress) CVE-2023-2027 https://cve.report/CVE-2023-2027
2023-04-18 00:00:22.146177 (Remote Attack, PHP, GitHub, Execute Arbitrary code) CVE-2023-2017 https://cve.report/CVE-2023-2017
2023-04-18 00:00:22.147558 (SQL injection) CVE-2023-1723 https://cve.report/CVE-2023-1723
2023-04-18 00:00:22.150701 (XSS) CVE-2022-45849 https://cve.report/CVE-2022-45849
2023-04-18 00:00:22.152311 (XSS) CVE-2022-44734 https://cve.report/CVE-2022-44734
2023-04-18 00:00:22.153782 (XSS) CVE-2022-43480 https://cve.report/CVE-2022-43480
2023-04-18 00:00:22.155183 (XSS) CVE-2022-43458 https://cve.report/CVE-2022-43458
2023-04-18 00:00:22.156570 (SQL injection) CVE-2022-43128 https://cve.report/CVE-2022-43128
2023-04-18 00:00:22.233856 (Command Injection) CVE-2022-38841 https://cve.report/CVE-2022-38841
2023-04-18 00:00:22.235320 (XXE, File Upload) CVE-2022-38840 https://cve.report/CVE-2022-38840
2023-04-18 00:00:22.237939 (XSS) CVE-2022-37306 https://cve.report/CVE-2022-37306
2023-04-18 00:00:22.240241 (Remote Code Execution, PHP) CVE-2022-34128 https://cve.report/CVE-2022-34128
2023-04-18 00:00:22.241617 (PHP) CVE-2022-34127 https://cve.report/CVE-2022-34127
2023-04-18 00:00:22.243004 (PHP) CVE-2022-34126 https://cve.report/CVE-2022-34126
2023-04-18 00:00:22.244400 (PHP) CVE-2022-34125 https://cve.report/CVE-2022-34125
2023-04-18 00:00:22.246206 (PHP, XSS) CVE-2022-28353 https://cve.report/CVE-2022-28353
2023-04-18 00:00:22.247549 (GitHub) CVE-2022-2525 https://cve.report/CVE-2022-2525
2023-04-18 03:00:18.836585 (SQL injection) CVE-2023-1873 https://cve.report/CVE-2023-1873
2023-04-18 03:00:18.838054 (XSS) CVE-2023-24182 https://cve.report/CVE-2023-24182
2023-04-18 03:00:18.839499 (Remote Code Execution) CVE-2023-23415 https://cve.report/CVE-2023-23415
2023-04-18 03:00:18.841715 (PHP, SQL injection, Critical) CVE-2023-1950 https://cve.report/CVE-2023-1950
2023-04-18 03:00:18.843228 (PHP, SQL injection, Critical) CVE-2023-1949 https://cve.report/CVE-2023-1949
2023-04-18 03:00:18.844744 (Remote Attack, SQL injection) CVE-2023-27844 https://cve.report/CVE-2023-27844
2023-04-18 03:00:18.846362 (PHP, SQL injection) CVE-2023-27733 https://cve.report/CVE-2023-27733
2023-04-18 03:00:18.847945 (WordPress, Wordpress Plugin) CVE-2023-1473 https://cve.report/CVE-2023-1473
2023-04-18 03:00:18.849578 (WordPress, Wordpress Plugin, Path Traversal) CVE-2023-1427 https://cve.report/CVE-2023-1427
2023-04-18 03:00:18.851082 (WordPress, Wordpress Plugin) CVE-2023-1413 https://cve.report/CVE-2023-1413
2023-04-18 03:00:18.852581 (WordPress, Wordpress Plugin) CVE-2023-1373 https://cve.report/CVE-2023-1373
2023-04-18 03:00:18.854380 (WordPress, Wordpress Plugin) CVE-2023-1371 https://cve.report/CVE-2023-1371
2023-04-18 03:00:18.855887 (WordPress, Wordpress Plugin) CVE-2023-1331 https://cve.report/CVE-2023-1331
2023-04-18 03:00:18.857341 (WordPress, Wordpress Plugin) CVE-2023-1325 https://cve.report/CVE-2023-1325
2023-04-18 03:00:18.858854 (WordPress, Wordpress Plugin, File Upload) CVE-2023-1282 https://cve.report/CVE-2023-1282
2023-04-18 03:00:18.860335 (WordPress, Wordpress Plugin) CVE-2023-1274 https://cve.report/CVE-2023-1274
2023-04-18 03:00:18.862038 (WordPress, Wordpress Plugin) CVE-2023-0889 https://cve.report/CVE-2023-0889
2023-04-18 03:00:18.863540 (WordPress, SQL injection, Wordpress Plugin) CVE-2023-0765 https://cve.report/CVE-2023-0765
2023-04-18 03:00:18.865154 (WordPress, Wordpress Plugin) CVE-2023-0764 https://cve.report/CVE-2023-0764
2023-04-18 03:00:18.866663 (WordPress, Wordpress Plugin) CVE-2023-0374 https://cve.report/CVE-2023-0374
2023-04-18 03:00:18.868178 (WordPress, Wordpress Plugin) CVE-2023-0367 https://cve.report/CVE-2023-0367
2023-04-18 03:00:18.869664 (WordPress, SQL injection, Wordpress Plugin) CVE-2023-0277 https://cve.report/CVE-2023-0277
2023-04-18 03:00:18.871063 (XSS) CVE-2022-44726 https://cve.report/CVE-2022-44726
2023-04-18 04:00:20.533793 (Docker) CVE-2023-1802 https://cve.report/CVE-2023-1802
2023-04-18 04:00:20.535774 (PHP) CVE-2022-31888 https://cve.report/CVE-2022-31888
2023-04-18 04:00:20.537575 (PHP) CVE-2023-27179 https://cve.report/CVE-2023-27179
2023-04-18 04:00:20.539524 (Execute Arbitrary code) CVE-2023-27718 https://cve.report/CVE-2023-27718
2023-04-18 04:00:20.541863 (Remote Attack) CVE-2023-0959 https://cve.report/CVE-2023-0959
2023-04-18 04:00:20.544533 (SQL injection) CVE-2023-1522 https://cve.report/CVE-2023-1522
2023-04-18 04:00:20.546350 (Execute Arbitrary code) CVE-2023-29374 https://cve.report/CVE-2023-29374
2023-04-18 04:00:20.548471 (PHP, Critical, Code Injection) CVE-2023-1947 https://cve.report/CVE-2023-1947
2023-04-18 04:00:20.550432 (GitHub) CVE-2023-24538 https://cve.report/CVE-2023-24538
2023-04-18 04:00:20.554247 (Remote Code Execution, Apache Commons Text) CVE-2022-42889 https://cve.report/CVE-2022-42889
2023-04-18 06:00:20.652469 (Azure) CVE-2023-23382 https://cve.report/CVE-2023-23382
2023-04-18 06:00:20.655173 (Remote Code Execution, Visual Studio) CVE-2022-24512 https://cve.report/CVE-2022-24512
2023-04-18 09:00:19.767725 (Execute Arbitrary code) CVE-2022-33886 https://cve.report/CVE-2022-33886
2023-04-18 15:00:19.846918 (Path Traversal) CVE-2023-30548 https://cve.report/CVE-2023-30548
2023-04-18 15:00:19.849357 (npm) CVE-2023-30543 https://cve.report/CVE-2023-30543
2023-04-18 15:00:19.854595 (PHP) CVE-2023-29197 https://cve.report/CVE-2023-29197
2023-04-18 15:00:19.856790 (nginx, Path Traversal) CVE-2023-29004 https://cve.report/CVE-2023-29004
2023-04-18 15:00:19.859403 (Command Injection) CVE-2023-28983 https://cve.report/CVE-2023-28983
2023-04-18 15:00:19.871077 (Execute Commands) CVE-2023-28966 https://cve.report/CVE-2023-28966
2023-04-18 15:00:19.873946 (PHP) CVE-2023-28963 https://cve.report/CVE-2023-28963
2023-04-18 15:00:19.875560 (PHP) CVE-2023-28962 https://cve.report/CVE-2023-28962
2023-04-18 15:00:19.877916 (Docker, Critical) CVE-2023-28960 https://cve.report/CVE-2023-28960
2023-04-18 15:00:19.880263 (XSS, File Upload) CVE-2023-28158 https://cve.report/CVE-2023-28158
2023-04-18 15:00:19.932082 (Remote Code Execution, Remote Attack, OpenSSH) CVE-2023-25136 https://cve.report/CVE-2023-25136
2023-04-18 15:00:19.939352 (GitHub) CVE-2023-2138 https://cve.report/CVE-2023-2138
2023-04-18 15:00:19.941854 (WordPress) CVE-2023-2120 https://cve.report/CVE-2023-2120
2023-04-18 15:00:19.943787 (WordPress) CVE-2023-2119 https://cve.report/CVE-2023-2119
2023-04-18 15:00:19.947506 (Remote Attack, XSS) CVE-2022-46389 https://cve.report/CVE-2022-46389
2023-04-18 15:00:19.950854 (Remote Attack, Execute Arbitrary code) CVE-2023-29492 https://cve.report/CVE-2023-29492
2023-04-18 15:00:19.954401 (Remote Attack, PHP) CVE-2023-26774 https://cve.report/CVE-2023-26774
2023-04-18 15:00:19.956929 (PHP, SQL injection, Critical) CVE-2023-1964 https://cve.report/CVE-2023-1964
2023-04-18 15:00:19.958751 (PHP, SQL injection, Critical) CVE-2023-1963 https://cve.report/CVE-2023-1963
반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 04. 20. MR(Monitoring Report)  (0) 2023.04.21
[CVE] 2023. 04. 19. MR(Monitoring Report)  (0) 2023.04.20
[CVE] 2023. 04. 17. MR(Monitoring Report)  (0) 2023.04.18
[CVE] 2023. 04. 16. MR(Monitoring Report)  (0) 2023.04.17
[CVE] 2023. 04. 15. MR(Monitoring Report)  (0) 2023.04.16
반응형
datetime subject id link
2023-04-17 20:00:21.140718 (Command Injection) CVE-2023-1728 https://cve.report/CVE-2023-1728
반응형

'Hacking > CVE List' 카테고리의 다른 글

[CVE] 2023. 04. 19. MR(Monitoring Report)  (0) 2023.04.20
[CVE] 2023. 04. 18. MR(Monitoring Report)  (0) 2023.04.19
[CVE] 2023. 04. 16. MR(Monitoring Report)  (0) 2023.04.17
[CVE] 2023. 04. 15. MR(Monitoring Report)  (0) 2023.04.16
[CVE] 2023. 04. 14. MR(Monitoring Report)  (0) 2023.04.15

+ Recent posts

티스토리툴바