BUGTRAQ ID: 34456 Geeklog是一个免费的、开放源码的Web应用程序。它可以使用户创建一个虚拟的社区,可以管理用户,张贴文章等。Geeklog采用PHP实现,以MySQL为后台数据库。 Geeklog的index.php模块中的SEC_authenticate()函数没有正确的验证用户所提交的PHP_AUTH_USER和 REMOTE_USER变量参数,远程攻击者可以通过提交恶意查询请求执行SQL注入攻击。以下是/public_html/webservices /atom/index.php文件中34-53行的有漏洞代码段: ... require_once '../../lib-common.php'; if (PHP_VERSION < 5) { $_CONF['disable_webservices'] = true; } else { require_once $_CONF['path_system'] . '/lib-webservices.php'; } if ($_CONF['disable_webservices']) { COM_displayMessageAndAbort($LANG_404[3], '', 404, 'Not Found'); } header('Content-type: ' . 'application/atom+xml' . '; charset=UTF-8'); WS_authenticate(); ... /system/lib-webservices.php文件780-877行的WS_authenticate()函数: ... function WS_authenticate() { global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE; $uid = ''; $username = ''; $password = ''; $status = -1; if (isset($_SERVER['PHP_AUTH_USER'])) { $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; if...
BUGTRAQ ID: 34456 Geeklog是一个免费的、开放源码的Web应用程序。它可以使用户创建一个虚拟的社区,可以管理用户,张贴文章等。Geeklog采用PHP实现,以MySQL为后台数据库。 Geeklog的index.php模块中的SEC_authenticate()函数没有正确的验证用户所提交的PHP_AUTH_USER和 REMOTE_USER变量参数,远程攻击者可以通过提交恶意查询请求执行SQL注入攻击。以下是/public_html/webservices /atom/index.php文件中34-53行的有漏洞代码段: ... require_once '../../lib-common.php'; if (PHP_VERSION < 5) { $_CONF['disable_webservices'] = true; } else { require_once $_CONF['path_system'] . '/lib-webservices.php'; } if ($_CONF['disable_webservices']) { COM_displayMessageAndAbort($LANG_404[3], '', 404, 'Not Found'); } header('Content-type: ' . 'application/atom+xml' . '; charset=UTF-8'); WS_authenticate(); ... /system/lib-webservices.php文件780-877行的WS_authenticate()函数: ... function WS_authenticate() { global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE; $uid = ''; $username = ''; $password = ''; $status = -1; if (isset($_SERVER['PHP_AUTH_USER'])) { $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; if ($WS_VERBOSE) { COM_errorLog("WS: Attempting to log in user '$username'"); } } elseif (!empty($_SERVER['REMOTE_USER'])) { list($auth_type, $auth_data) = explode(' ', $_SERVER['REMOTE_USER']); list($username, $password) = explode(':', base64_decode($auth_data)); if ($WS_VERBOSE) { COM_errorLog("WS: Attempting to log in user '$username' (via \$_SERVER['REMOTE_USER'])"); } } else { if ($WS_VERBOSE) { COM_errorLog("WS: No login given"); } } ... 之后在907-909行: ... if (($status == -1) && $_CONF['user_login_method']['standard']) { $status = SEC_authenticate($username, $password, $uid); } ... /system/lib-security.php文件的695-717行: ... function SEC_authenticate($username, $password, &$uid) { global $_CONF, $_TABLES, $LANG01; $result = DB_query("SELECT status, passwd, email, uid FROM {$_TABLES['users']} WHERE username='$username' AND ((remoteservice is null) or (remoteservice = ''))"); //<------------------- SQL INJECTION HERE $tmp = DB_error(); $nrows = DB_numRows($result); if (($tmp == 0) && ($nrows == 1)) { $U = DB_fetchArray($result); $uid = $U['uid']; if ($U['status'] == USER_ACCOUNT_DISABLED) { // banned, jump to here to save an md5 calc. return USER_ACCOUNT_DISABLED; } elseif ($U['passwd'] != SEC_encryptPassword($password)) { return -1; // failed login } elseif ($U['status'] == USER_ACCOUNT_AWAITING_APPROVAL) { return USER_ACCOUNT_AWAITING_APPROVAL; } elseif ($U['status'] == USER_ACCOUNT_AWAITING_ACTIVATION) { // Awaiting user activation, activate: DB_change($_TABLES['users'], 'status', USER_ACCOUNT_ACTIVE, 'username', $username); return USER_ACCOUNT_ACTIVE; } else { return $U['status']; // just return their status } } else { $tmp = $LANG01[32] . ": '" . $username . "'"; COM_errorLog($tmp, 1); return -1; } } ... 可在这个函数的username参数中注入SQL代码,该参数来自$_SERVER['PHP_AUTH_USER']或$_SERVER['REMOTE_USER']变量。 geeklog <= 1.5.2 Geeklog ------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://geeklog.sourceforge.net/ target=_blank rel=external nofollow>http://geeklog.sourceforge.net/</a>
