PHPAuction未授权远程管理接口访问漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106828 漏洞类型 未知
发布时间 2002-07-02 更新时间 2005-10-12
CVE编号 CVE-2002-0995 CNNVD-ID CNNVD-200210-170
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/21590
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200210-170
|漏洞详情
PhpAuction是一款免费开放源代码的基于WEB的拍卖系统,使用PHP+MYSQL实现。PHPAuction中的login.php对用户提交的URL请求缺少正确判断,远程攻击者可以利用这个漏洞建立管理员权限的用户帐户。PHPAuction中的/admin/login.php脚本只检查$action是否设置为"insert",如果是的情况下,就直接转向在管理员用户表中插入用户名和密码操作,攻击者可以提交非法URL请求导致在系统中增加具有管理员权限的帐户。
|漏洞EXP
source: http://www.securityfocus.com/bid/5141/info

PhpAuction is a freely available web-based auction system. It is written using PHP scripting language on a MySQL database engine.

A flaw in /admin/login.php has been reported in PHPAuction, which could allow users to gain escalated privileges.

Submitting authentication credentials via login.php will create the user account with adminsitrative permissions. 

curl http://pro.phpauction.org/proplus/admin/login.php -d "action=insert" -d "username=test" -d "password=test"
|参考资料

来源:BID
名称:5141
链接:http://www.securityfocus.com/bid/5141
来源:www.phpauction.org
链接:http://www.phpauction.org/viewnew.php?id=5
来源:XF
名称:phpauction-admin-account-creation(9462)
链接:http://www.iss.net/security_center/static/9462.php
来源:BUGTRAQ
名称:20020702PHPAuctionbug
链接:http://archives.neohapsis.com/archives/bugtraq/2002-07/0014.html