OSDN -- Develop and Download Open Source Software

Forums: osCommerce FAQ (Thread #37546)
Return to Thread list RSS

オープンリダイレクト脆弱性 (2016-02-29 16:44 by 匿名 #77734)

典型的なオープンリダイレクト脆弱性。
早めの対策を推奨。

/catalog/redirect.php
tep_redirect('http://' . $HTTP_GET_VARS['goto']);

Reply to #77734×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) Login

Re: オープンリダイレクト脆弱性 (2016-03-14 13:03 by 匿名 #77799)

http://crusherfactory.net/~yas_/000397.php

idとしてintだけ通すのがいいけど、元のdefault.phpへの
リダイレクト残してると(行き先は違えど)302が返ることで
試行が止まらないっぽいので、生死チェック通る行き先だけ
リダイレクト、あとは殺して200か403返すのが良さそう。

case 'url': if (isset($HTTP_GET_VARS['goto']) && is_numeric($HTTP_GET_VARS['goto'])) {
$url_query = tep_db_query("SELECT pd.products_url FROM " . TABLE_PRODUCTS_DESCRIPTION . " as pd, " . TABLE_PRODUCTS . " as p WHERE p.products_id = " . (int)$HTTP_GET_VARS['goto'] . " and p.products_status = 1 and p.products_id = pd.products_id");

$url_info = tep_db_fetch_array($url_query);

$url = $url_info['products_url'];

if (!$url) exit;

tep_redirect("http://" . $url);
} else {
//tep_redirect(tep_href_link(FILENAME_DEFAULT));
exit;
}
break;
Reply to #77734

Reply to #77799×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) Login