BUGTRAQ ID: 34553 Geeklog是一个免费的、开放源码的Web应用程序。它可以使用户创建一个虚拟的社区,可以管理用户,张贴文章等。Geeklog采用PHP实现,以MySQL为后台数据库。 Geeklog的usersettings.php文件中的1467 - 1480行中存在SQL注入漏洞: ... if (isset ($_USER['uid']) && ($_USER['uid'] > 1)) { switch ($mode) { case 'saveuser': savepreferences ($_POST); $display .= saveuser($_POST); PLG_profileExtrasSave (); break; case 'savepreferences': savepreferences ($_POST); $display .= COM_refresh ($_CONF['site_url'] . '/usersettings.php?mode=preferences&msg=6'); break; ... 所有的$_POST[]变量都直接传送给了savepreferences()函数: ... function savepreferences($A) { global $_CONF, $_TABLES, $_USER; if (isset ($A['noicons']) && ($A['noicons'] == 'on')) { $A['noicons'] = 1; } else { $A['noicons'] = 0; } if (isset ($A['willing']) && ($A['willing'] == 'on')) { $A['willing'] = 1; } else { $A['willing'] = 0; } if (isset ($A['noboxes']) && ($A['noboxes'] == 'on')) { $A['noboxes'] = 1; } else { $A['noboxes'] = 0; } if (isset ($A['emailfromadmin']) &&...
BUGTRAQ ID: 34553 Geeklog是一个免费的、开放源码的Web应用程序。它可以使用户创建一个虚拟的社区,可以管理用户,张贴文章等。Geeklog采用PHP实现,以MySQL为后台数据库。 Geeklog的usersettings.php文件中的1467 - 1480行中存在SQL注入漏洞: ... if (isset ($_USER['uid']) && ($_USER['uid'] > 1)) { switch ($mode) { case 'saveuser': savepreferences ($_POST); $display .= saveuser($_POST); PLG_profileExtrasSave (); break; case 'savepreferences': savepreferences ($_POST); $display .= COM_refresh ($_CONF['site_url'] . '/usersettings.php?mode=preferences&amp;msg=6'); break; ... 所有的$_POST[]变量都直接传送给了savepreferences()函数: ... function savepreferences($A) { global $_CONF, $_TABLES, $_USER; if (isset ($A['noicons']) && ($A['noicons'] == 'on')) { $A['noicons'] = 1; } else { $A['noicons'] = 0; } if (isset ($A['willing']) && ($A['willing'] == 'on')) { $A['willing'] = 1; } else { $A['willing'] = 0; } if (isset ($A['noboxes']) && ($A['noboxes'] == 'on')) { $A['noboxes'] = 1; } else { $A['noboxes'] = 0; } if (isset ($A['emailfromadmin']) && ($A['emailfromadmin'] == 'on')) { $A['emailfromadmin'] = 1; } else { $A['emailfromadmin'] = 0; } if (isset ($A['emailfromuser']) && ($A['emailfromuser'] == 'on')) { $A['emailfromuser'] = 1; } else { $A['emailfromuser'] = 0; } if (isset ($A['showonline']) && ($A['showonline'] == 'on')) { $A['showonline'] = 1; } else { $A['showonline'] = 0; } $A['maxstories'] = COM_applyFilter ($A['maxstories'], true); if (empty ($A['maxstories'])) { $A['maxstories'] = 0; } else if ($A['maxstories'] > 0) { if ($A['maxstories'] < $_CONF['minnews']) { $A['maxstories'] = $_CONF['minnews']; } } $TIDS = @array_values($A[$_TABLES['topics']]); $AIDS = @array_values($A['selauthors']); $BOXES = @array_values($A["{$_TABLES['blocks']}"]); //<--------- this is $_POST[(prefix)blocks] $ETIDS = @array_values($A['etids']); $tids = ''; if (sizeof ($TIDS) > 0) { $tids = addslashes (implode (' ', $TIDS)); } $aids = ''; if (sizeof ($AIDS) > 0) { $aids = addslashes (implode (' ', $AIDS)); } $selectedblocks = ''; if (count ($BOXES) > 0) { $boxes = addslashes (implode (',', $BOXES)); //<---------- this addslashes() is totally unuseful //**** SQL INJECTION HERE *** $boxes is not surrounded by quotes! $blockresult = DB_query("SELECT bid,name FROM {$_TABLES['blocks']} WHERE bid NOT IN ($boxes)"); $numRows = DB_numRows($blockresult); for ($x = 1; $x <= $numRows; $x++) { $row = DB_fetchArray ($blockresult); if ($row['name'] <> 'user_block' AND $row['name'] <> 'admin_block' AND $row['name'] <> 'section_block') { $selectedblocks .= $row['bid']; if ($x <> $numRows) { $selectedblocks .= ' '; } } } } ... geeklog <= 1.5.2 Geeklog ------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://geeklog.sourceforge.net/ target=_blank rel=external nofollow>http://geeklog.sourceforge.net/</a>
