BUGTRAQ ID: 34361 CVE(CAN) ID: CVE-2009-1282,CVE-2009-1283 glFusion是一个开源的内容管理系统。 glFusion的private/system/lib-session.php模块没有正确地过滤用户所提交的glf_session cookie参数,远程攻击者可以通过向服务器提交恶意请求执行SQL注入攻击。以下是/private/system/lib-session.php 的97-117行的有漏洞代码段: ... if (isset ($_COOKIE[$_CONF['cookie_session']])) { $sessid = COM_applyFilter ($_COOKIE[$_CONF['cookie_session']]); if ($_SESS_VERBOSE) { COM_errorLog("got $sessid as the session id from lib-sessions.php",1); } $userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']); if ($_SESS_VERBOSE) { COM_errorLog("Got $userid as User ID from the session ID",1); } if ($userid > 1) { // Check user status $status = SEC_checkUserStatus($userid); if (($status == USER_ACCOUNT_ACTIVE) || ($status == USER_ACCOUNT_AWAITING_ACTIVATION)) { $user_logged_in = 1; SESS_updateSessionTime($sessid, $_CONF['cookie_ip']); 在418-436行的SESS_updateSessionTime()函数中: ... function...
BUGTRAQ ID: 34361 CVE(CAN) ID: CVE-2009-1282,CVE-2009-1283 glFusion是一个开源的内容管理系统。 glFusion的private/system/lib-session.php模块没有正确地过滤用户所提交的glf_session cookie参数,远程攻击者可以通过向服务器提交恶意请求执行SQL注入攻击。以下是/private/system/lib-session.php 的97-117行的有漏洞代码段: ... if (isset ($_COOKIE[$_CONF['cookie_session']])) { $sessid = COM_applyFilter ($_COOKIE[$_CONF['cookie_session']]); if ($_SESS_VERBOSE) { COM_errorLog("got $sessid as the session id from lib-sessions.php",1); } $userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']); if ($_SESS_VERBOSE) { COM_errorLog("Got $userid as User ID from the session ID",1); } if ($userid > 1) { // Check user status $status = SEC_checkUserStatus($userid); if (($status == USER_ACCOUNT_ACTIVE) || ($status == USER_ACCOUNT_AWAITING_ACTIVATION)) { $user_logged_in = 1; SESS_updateSessionTime($sessid, $_CONF['cookie_ip']); 在418-436行的SESS_updateSessionTime()函数中: ... function SESS_updateSessionTime($sessid, $md5_based=0) { global $_TABLES; $newtime = (string) time(); if ($md5_based == 1) { $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (md5_sess_id = '$sessid')"; } else { $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (sess_id = $sessid)"; //<-------- SQL INJECTION HERE } $result = DB_query($sql); return 1; } ... 如果在通用配置中会话id不是md5()哈希(默认配置),就可以注入SQL语句。 在SESS_getUserIdFromSession()函数的查询中: ... if ($md5_based == 1) { $sql = "SELECT uid FROM {$_TABLES['sessions']} WHERE " . "(md5_sess_id = '$sessid') AND (start_time > $mintime) AND (remote_ip = '$remote_ip')"; } else { $sql = "SELECT uid FROM {$_TABLES['sessions']} WHERE " . "(sess_id = '$sessid') AND (start_time > $mintime) AND (remote_ip = '$remote_ip')"; } ... 这个查询将所提供的sessid值与从会话表中的sessid值(整数)做了比较,而在比较时仅考虑了字符串的第一个整数值,因此函数返回了有效的userid。如果知道了表格中已有的sessid的话,就可以如下在cookie中注入查询: Cookie: glf_session=12345678 [SQL HERE]; glfusion=9999999999; glFusion <= 1.1.2 glFusion -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.glfusion.org/filemgmt/visit.php?lid=275 target=_blank rel=external nofollow>http://www.glfusion.org/filemgmt/visit.php?lid=275</a>
