BUGTRAQ ID: 34187
CVE(CAN) ID: CVE-2009-1050,CVE-2009-1049
Bloginator是一套PHP脚本,允许用户在网站上显示、添加、编辑和删除文章。
Bloginator没有正确地验证认证cookie,远程攻击者可以通过修改identifyYourself cookie参数绕过安全限制获得非授权访问。以下是有漏洞的代码段:
[URL] www.site.com/bloginator/articleCall.php
global $name,$password,$returnLink;
$p_name = strip_tags(substr($_POST[\'name\'],0,32));
$p_password = strip_tags(substr($_POST[\'password\'],0,32));
if(crypt($p_name , $name) == $name and crypt($p_password,$password) == $password )
{
setcookie(\"identifyYourself\",\"you are identified\");
print \"Login successfull<br>\";
print $returnLink;
}
else {print \"Wrong username or password\";
}
}
Bloginator的articleCall.php模块没有正确的验证对id参数所传送的输入参数,远程攻击者可以通过提交恶意查询请求执行SQL注入攻击。以下是有漏洞的代码段:
[URL] www.site.com/bloginator/articleCall.php
$action = @$_GET[\'action\'];
[...]
$id = $_GET[\'id\'];
[...]
function editArticle($id,$message)
{
global $returnLink;
$query = \"select * FROM articles WHERE id=\'$id\'\";
$sql = mysql_query($query) or die(mysql_query());
$title = mysql_result($sql,0,\'title\');
$title = htmlentities($title);
$article = mysql_result($sql,0,\'article\');
$article = htmlentities($article);
$link = mysql_result($sql,0,\'link\');
$link = htmlentities($link);
startHTML(\"Edit ID # \".$id);
?>
kamAds.com Bloginator 1A
厂商补丁:
kamAds.com
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
<a href=http://kamads.com/kamads_ads/bloginator.php target=_blank rel=external nofollow>http://kamads.com/kamads_ads/bloginator.php</a>
京公网安备 11010502034610号
暂无评论