RSS订阅发布日期:2008-01-03
更新日期:2008-01-04
受影响系统:
MyPHP.ws MyPHP Forum v3.0 (Final)
描述:
BUGTRAQ ID: 27118
MyPHP Forum是一个易于架设并且易于使用基于MySQL与PHP的论坛。
MyPHP Forum处理用户请求数据时存在输入验证漏洞,远程攻击者可能利用此漏洞执行SQL注入攻击。
MyPHP Forum的faq.php文件没有正确地验证对id参数的输入,member.php文件没有正确验证对member参数的输入,search.php文件没有正确验证对searchtext和searchuser参数的输入,允许攻击者通过注入任意SQL代码控制SQL查询。成功攻击要求禁用了magic_quotes_gpc。
faq.php文件中的漏洞代码:
//faq.php
[...]
$id = $_GET['id'];
if($action == "view" && !empty($id)) {
$result = mysql_query("SELECT * from $db_faq WHERE id='$id'") or die(mysql_error()); // <-- So miss a control :-D
$row = mysql_fetch_array($result);
$row[answer] = postify($row[answer]);
[...]
?>
member.php文件中的漏洞代码:
//member.php
[...]
if($action == "viewpro") {
$member = $HTTP_GET_VARS['member'];
$query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die(mysql_error());
[...]
?>
search.php文件中的漏洞代码:
if($_POST['submit']) {
$searchtext = $_POST['searchtext'];
$searchuser = $_POST['searchuser'];
if(!strstr($searchtext, '"')) {
$keywords = explode(" ", $searchtext);
for($i = 0; $i < count($keywords); $i++) {
if($sqladdon != "") {
$sqladdon .= " AND p.message LIKE '%$keywords[$i]%'";
} else {
$sqladdon .= "p.message LIKE '%$keywords[$i]%'";
}
}
} else {
$phrase = trim(stripslashes(strstr($searchtext, '"')));
$quotesarr = explode('"', $phrase);
$quotes = count($quotesarr);
$phrasecount = $quotes - (count(explode('" "', $phrase)) + 1);
for($i = 0; $i < $quotes; $i++) {
if($i != 0 && $i != $quotes - 1) {
if($phraseoff != "yes") {
$phraselist .= "$quotesarr[$i]|";
$phraseoff = "yes";
} else {
$phraseoff = "no";
}
}
}
$phrasearr = explode("|", $phraselist);
$phrases = count($phrasearr) - 1;
for($i = 0; $i < $phrases; $i++) {
if($sqladdon != "") {
$sqladdon .= " AND p.message LIKE '%$phrasearr[$i]%'";
} else {
$sqladdon .= "p.message LIKE '%$phrasearr[$i]%'";
}
}
$newsearchtxt = trim(str_replace("$phrase", "", stripslashes($searchtext)));
if($newsearchtxt != "") {
$keywords = explode(" ", $newsearchtxt);
}
for($i = 0; $i < count($keywords); $i++) {
if($sqladdon != "") {
$sqladdon .= " AND p.message LIKE '%$keywords[$i]%'";
} else {
$sqladdon .= "p.message LIKE '%$keywords[$i]%'";
}
}
}
if($searchuser != "") {
if($sqladdon != "") {
$sqladdon .= " AND p.author LIKE '%$searchuser%'";
} else {
$sqladdon .= "p.author LIKE '%$searchuser%'";
}
}
if($sqladdon != "" ) {
search_header();
$ttnum = 1; // Now the Vulnerable Query =)
$query = mysql_query("SELECT t.*, f.name AS forum FROM $db_post p, $db_topic t, $db_forum f WHERE $sqladdon AND t.tid=p.tid AND f.fid=t.fid") or die(mysql_error());
MyPHP.ws:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.myphp.ws/
相关文章
[错误报告] [推荐] [收藏] [打印] [关闭] [返回顶部]
已有