漏洞信息详情
glFusion 'private/system/lib-session.php' SQL注入漏洞
- CNNVD编号:CNNVD-200904-214
- 危害等级: 低危
- CVE编号: CVE-2009-1283
- 漏洞类型: 加密问题
- 发布时间: 2009-04-09
- 威胁类型: 远程
- 更新时间: 2009-04-10
- 厂 商: glfusion
- 漏洞来源: bookoo
漏洞简介
glFusion是一个开源的内容管理系统。
glFusion的private/system/lib-session.php模块没有正确地过滤用户所提交的glf_session cookie参数,远程攻击者可以通过向服务器提交恶意请求执行SQL注入攻击。以下是/private/system/lib-session.php的97-117行的有漏洞代码段:
...
if (isset ($_COOKIE[$_CONF[\'\' cookie_session\'\' ]])) {
$sessid = COM_applyFilter ($_COOKIE[$_CONF[\'\' cookie_session\'\' ]]);
if ($_SESS_VERBOSE) {
COM_errorLog(\" got $sessid as the session id from lib-sessions.php\" ,1);
}
$userid = SESS_getUserIdFromSession($sessid, $_CONF[\'\' session_cookie_timeout\'\' ], $_SERVER[\'\' REMOTE_ADDR\'\' ], $_CONF[\'\' cookie_ip\'\' ]);
if ($_SESS_VERBOSE) {
COM_errorLog(\" Got $userid as User ID from the session ID\" ,1);
}
if ($userid < 1) {
// Check user status
$status = SEC_checkUserStatus($userid);
if (($status == USER_ACCOUNT_ACTIVE) ||
($status == USER_ACCOUNT_AWAITING_ACTIVATION)) {
$user_logged_in = 1;
SESS_updateSessionTime($sessid, $_CONF[\'\' cookie_ip\'\' ]);
在418-436行的SESS_updateSessionTime()函数中:
...
function SESS_updateSessionTime($sessid, $md5_based=0) {
global $_TABLES;
$newtime = (string) time();
if ($md5_based == 1) {
$sql = \" UPDATE {$_TABLES[\'\' sessions\'\' ]} SET start_time=$newtime WHERE (md5_sess_id = \'\' $sessid\'\' )\" ; } else {
$sql = \" UPDATE {$_TABLES[\'\' sessions\'\' ]} SET start_time=$newtime WHERE (sess_id = $sessid)\" ; //<-------- SQL INJECTION HERE
}
$result = DB_query($sql);
return 1;
}
...
如果在通用配置中会话id不是md5()哈希(默认配置),就可以注入SQL语句。
在SESS_getUserIdFromSession()函数的查询中:
...
if ($md5_based == 1) {
$sql = \" SELECT uid FROM {$_TABLES[\'\' sessions\'\' ]} WHERE \"
. \" (md5_sess_id = \'\' $sessid\'\' ) AND (start_time < $mintime) AND (remote_ip = \'\' $remote_ip\'\' )\" ; } else {
$sql = \" SELECT uid FROM {$_TABLES[\'\' sessions\'\' ]} WHERE \"
. \" (sess_id = \'\' $sessid\'\' ) AND (start_time < $mintime) AND (remote_ip = \'\' $remote_ip\'\' )\" ; }
...
这个查询将所提供的sessid值与从会话表中的sessid值(整数)做了比较,而在比较时仅考虑了字符串的第一个整数值,因此函数返回了有效的userid。如果知道了表格中已有的sessid的话,就可以如下在cookie中注入查询:
Cookie: glf_session=12345678 [SQL HERE]; glfusion=9999999999;
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://www.glfusion.org/filemgmt/visit.php?lid=275
参考网址
来源: www.glfusion.org
链接:http://www.glfusion.org/article.php/glfusion113
来源: MILW0RM
名称: 8347
链接:http://www.milw0rm.com/exploits/8347
来源: www.glfusion.org
链接:http://www.glfusion.org/wiki/doku.php?id=glfusion:whatsnew
来源: SECUNIA
名称: 34575
链接:http://secunia.com/advisories/34575
来源: MISC
链接:http://retrogod.altervista.org/9sg_glfuso_sql_cookies.HTML
来源: BUGTRAQ
名称: 20090403 glFusion <= 1.1.2="" com_applyfilter()/cookies="" remote="" blind="">
链接:http://marc.info/?l=bugtraq&m=123877379105028&w=2
受影响实体
- Glfusion Glfusion:1.1.1
- Glfusion Glfusion:1.1.0
- Glfusion Glfusion:1.0.0
- Glfusion Glfusion:1.0.0:Rc2
- Glfusion Glfusion:1.1.2
补丁
暂无
评论