BUGTRAQ ID: 28766 Coppermine是用PHP编写的多用途集成web图形库脚本。 Coppermine的upload.php文件处理用户请求数据时存在输入验证漏洞,远程攻击者可能利用此漏洞执行SQL注入攻击。 在执行URI/URL上传时Coppermine的upload.php文件没有正确地过滤远程HTTP服务器的MIME媒体类型输入,这允许远程攻击者通过操控SQL查询请求执行SQL注入攻击。 Coppermine Photo Gallery 1.4.16 临时解决方法: * 在upload.php文件中找到以下行: } else { // We will try to get the extension from the database. $MIME_result = cpg_db_query("SELECT extension FROM {$CONFIG['TABLE_FILETYPES']} WHERE mime='$URI_MIME_type'"); // Check to see if any results were returned. if (!mysql_num_rows($MIME_result)) { // No results, so free up the resources. mysql_free_result($MIME_result); // We cannot determine an extension from the MIME type provided, so note an error. Reject the file as unsafe. $URI_failure_array[] = array( 'failure_ordinal'=>$failure_ordinal, 'URI_name'=> $_POST['URI_array'][$counter], 'error_code'=>$lang_upload_php['MIME_type_unknown']); // There is no need for further tests or action, so skip the remainder of the iteration. continue;...
BUGTRAQ ID: 28766 Coppermine是用PHP编写的多用途集成web图形库脚本。 Coppermine的upload.php文件处理用户请求数据时存在输入验证漏洞,远程攻击者可能利用此漏洞执行SQL注入攻击。 在执行URI/URL上传时Coppermine的upload.php文件没有正确地过滤远程HTTP服务器的MIME媒体类型输入,这允许远程攻击者通过操控SQL查询请求执行SQL注入攻击。 Coppermine Photo Gallery 1.4.16 临时解决方法: * 在upload.php文件中找到以下行: } else { // We will try to get the extension from the database. $MIME_result = cpg_db_query("SELECT extension FROM {$CONFIG['TABLE_FILETYPES']} WHERE mime='$URI_MIME_type'"); // Check to see if any results were returned. if (!mysql_num_rows($MIME_result)) { // No results, so free up the resources. mysql_free_result($MIME_result); // We cannot determine an extension from the MIME type provided, so note an error. Reject the file as unsafe. $URI_failure_array[] = array( 'failure_ordinal'=>$failure_ordinal, 'URI_name'=> $_POST['URI_array'][$counter], 'error_code'=>$lang_upload_php['MIME_type_unknown']); // There is no need for further tests or action, so skip the remainder of the iteration. continue; } else { // The was a result. Fetch it. $extension_data = mysql_fetch_array($MIME_result); // Release the resources. mysql_free_result($MIME_result); // Store the extension in $extension. $extension = $extension_data['extension']; } } 并替换为: } else { $extension = ''; foreach ($FILE_TYPES as $ext => $typedata){ if ($typedata['mime'] == $URI_MIME_type){ // Store the extension in $extension. $extension = $ext; break; } } if (!$extension){ // We cannot determine an extension from the MIME type provided, so note an error. Reject the file as unsafe. $URI_failure_array[] = array( 'failure_ordinal'=>$failure_ordinal, 'URI_name'=> $_POST['URI_array'][$counter], 'error_code'=>$lang_upload_php['MIME_type_unknown']); // There is no need for further tests or action, so skip the remainder of the iteration. continue; } } 厂商补丁: Coppermine ---------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://downloads.sourceforge.net/coppermine/cpg1.4.18.zip?modtime=1208178518&big_mirror=0 target=_blank>http://downloads.sourceforge.net/coppermine/cpg1.4.18.zip?modtime=1208178518&big_mirror=0</a>
