Foros: osCommerce FAQ (Thread #37546)

オープンリダイレクト脆弱性 (2016-02-29 16:44 by 匿名 #77734)

典型的なオープンリダイレクト脆弱性。
早めの対策を推奨。

/catalog/redirect.php
tep_redirect('http://' . $HTTP_GET_VARS['goto']);

Responder al #77734×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) Entrar

Re: オープンリダイレクト脆弱性 (2016-03-14 13:03 by 匿名 #77799)

http://crusherfactory.net/~yas_/000397.php

idとしてintだけ通すのがいいけど、元のdefault.phpへの
リダイレクト残してると(行き先は違えど)302が返ることで
試行が止まらないっぽいので、生死チェック通る行き先だけ
リダイレクト、あとは殺して200か403返すのが良さそう。

case 'url': if (isset($HTTP_GET_VARS['goto']) && is_numeric($HTTP_GET_VARS['goto'])) {
$url_query = tep_db_query("SELECT pd.products_url FROM " . TABLE_PRODUCTS_DESCRIPTION . " as pd, " . TABLE_PRODUCTS . " as p WHERE p.products_id = " . (int)$HTTP_GET_VARS['goto'] . " and p.products_status = 1 and p.products_id = pd.products_id");

$url_info = tep_db_fetch_array($url_query);

$url = $url_info['products_url'];

if (!$url) exit;

tep_redirect("http://" . $url);
} else {
//tep_redirect(tep_href_link(FILENAME_DEFAULT));
exit;
}
break;
Responder al #77734

Responder al #77799×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) Entrar