BUGTRAQ ID: 34187 CVE(CAN) ID: CVE-2009-1050,CVE-2009-1049 Bloginator是一套PHP脚本,允许用户在网站上显示、添加、编辑和删除文章。 Bloginator没有正确地验证认证cookie,远程攻击者可以通过修改identifyYourself cookie参数绕过安全限制获得非授权访问。以下是有漏洞的代码段: [URL] www.site.com/bloginator/articleCall.php global $name,$password,$returnLink; $p_name = strip_tags(substr($_POST[\'name\'],0,32)); $p_password = strip_tags(substr($_POST[\'password\'],0,32)); if(crypt($p_name , $name) == $name and crypt($p_password,$password) == $password ) { setcookie(\"identifyYourself\",\"you are identified\"); print \"Login successfull<br>\"; print $returnLink; } else {print \"Wrong username or password\"; } } Bloginator的articleCall.php模块没有正确的验证对id参数所传送的输入参数,远程攻击者可以通过提交恶意查询请求执行SQL注入攻击。以下是有漏洞的代码段: [URL] www.site.com/bloginator/articleCall.php $action = @$_GET[\'action\']; [...] $id = $_GET[\'id\']; [...] function editArticle($id,$message) { global $returnLink; $query = \"select * FROM articles WHERE id=\'$id\'\"; $sql...
BUGTRAQ ID: 34187 CVE(CAN) ID: CVE-2009-1050,CVE-2009-1049 Bloginator是一套PHP脚本,允许用户在网站上显示、添加、编辑和删除文章。 Bloginator没有正确地验证认证cookie,远程攻击者可以通过修改identifyYourself cookie参数绕过安全限制获得非授权访问。以下是有漏洞的代码段: [URL] www.site.com/bloginator/articleCall.php global $name,$password,$returnLink; $p_name = strip_tags(substr($_POST[\'name\'],0,32)); $p_password = strip_tags(substr($_POST[\'password\'],0,32)); if(crypt($p_name , $name) == $name and crypt($p_password,$password) == $password ) { setcookie(\"identifyYourself\",\"you are identified\"); print \"Login successfull<br>\"; print $returnLink; } else {print \"Wrong username or password\"; } } Bloginator的articleCall.php模块没有正确的验证对id参数所传送的输入参数,远程攻击者可以通过提交恶意查询请求执行SQL注入攻击。以下是有漏洞的代码段: [URL] www.site.com/bloginator/articleCall.php $action = @$_GET[\'action\']; [...] $id = $_GET[\'id\']; [...] function editArticle($id,$message) { global $returnLink; $query = \"select * FROM articles WHERE id=\'$id\'\"; $sql = mysql_query($query) or die(mysql_query()); $title = mysql_result($sql,0,\'title\'); $title = htmlentities($title); $article = mysql_result($sql,0,\'article\'); $article = htmlentities($article); $link = mysql_result($sql,0,\'link\'); $link = htmlentities($link); startHTML(\"Edit ID # \".$id); ?> kamAds.com Bloginator 1A 厂商补丁: kamAds.com ---------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://kamads.com/kamads_ads/bloginator.php target=_blank rel=external nofollow>http://kamads.com/kamads_ads/bloginator.php</a>
