BUGTRAQ ID: 32348 vBulletin是一款开放源代码的PHP论坛程序。 vBulletin论坛的admincp/admincalendar.php文件没有正确地验证用户提交参数: -------------------[original source code]------------------ if($_POST['do'] == 'saveholiday') { $vbulletin->input->clean_array_gpc('p', array( 'holidayid' => TYPE_INT, 'holidayinfo' => TYPE_ARRAY, 'month1' => TYPE_INT, 'day1' => TYPE_INT, 'month2' => TYPE_INT, 'day2' => TYPE_INT, 'period' => TYPE_INT, 'title' => TYPE_STR, 'description' => TYPE_STR, )); .. $db->query_write(" UPDATE " . TABLE_PREFIX . "holiday SET allowsmilies = " . $vbulletin->GPC['holidayinfo']['allowsmilies'] . ", recuroption = '" . $vbulletin->GPC['holidayinfo']['recuroption'] . "', recurring = " . $vbulletin->GPC['holidayinfo']['recurring'] . " WHERE holidayid = " . $vbulletin->GPC['holidayid'] ); ------------------[/original source code]------------------...
BUGTRAQ ID: 32348 vBulletin是一款开放源代码的PHP论坛程序。 vBulletin论坛的admincp/admincalendar.php文件没有正确地验证用户提交参数: -------------------[original source code]------------------ if($_POST['do'] == 'saveholiday') { $vbulletin->input->clean_array_gpc('p', array( 'holidayid' => TYPE_INT, 'holidayinfo' => TYPE_ARRAY, 'month1' => TYPE_INT, 'day1' => TYPE_INT, 'month2' => TYPE_INT, 'day2' => TYPE_INT, 'period' => TYPE_INT, 'title' => TYPE_STR, 'description' => TYPE_STR, )); .. $db->query_write(" UPDATE " . TABLE_PREFIX . "holiday SET allowsmilies = " . $vbulletin->GPC['holidayinfo']['allowsmilies'] . ", recuroption = '" . $vbulletin->GPC['holidayinfo']['recuroption'] . "', recurring = " . $vbulletin->GPC['holidayinfo']['recurring'] . " WHERE holidayid = " . $vbulletin->GPC['holidayid'] ); ------------------[/original source code]------------------ 可见未经任何过滤便在UPDATE查询中使用了来自$_POST的数组类型变量holidayinfo,这允许远程攻击者通过提交恶意请求执行SQL注入攻击。 VBulletin 3.7.3 pl1 VBulletin --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://www.vbulletin.com/ target=_blank>http://www.vbulletin.com/</a>
