Phorum pm.php文件输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112758 漏洞类型 SQL注入
发布时间 2007-04-23 更新时间 2007-04-27
CVE编号 CVE-2007-2339 CNNVD-ID CNNVD-200704-569
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/29894
https://www.securityfocus.com/bid/81790
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-569
|漏洞详情
Phorum是一款基于PHP的WEB论坛程序,可在Linux和Unix操作系统下使用,也可在MicrosoftWindows操作系统下使用。Phorum的pm.php文件中recipients参数可能导致SQL注入漏洞。在include/db/mysq.php文件的1881行:------------------[sourcecode]----------------------functionphorum_db_user_get($user_id,$detailed){$PHORUM=$GLOBALS["PHORUM"];$conn=phorum_db_mysql_connect();if(is_array($user_id)){$user_ids=implode(",",$user_id);}else{$user_ids=(int)$user_id;}$users=array();$sql="select*from{$PHORUM['user_table']}whereuser_idin($user_ids)";$res=mysql_query($sql,$conn);if($err=mysql_error())phorum_db_mysql_error("$err:$sql");
|漏洞EXP
source: http://www.securityfocus.com/bid/23616/info
       
Phorum is prone to multiple input-validation vulnerabilities, including an unauthorized-access issue, privilege-escalation issue, multiple SQL-injection issues, and cross-site scripting issues, because the application fails to sufficiently sanitize user-supplied input.
       
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify sensitive data, or exploit latent vulnerabilities in the underlying database implementation.
       
Phorum 5.1.20 is affected; prior versions may also be vulnerable.

Let's try to add group named "war'axe":

http://localhost/phorum.5.1.20/admin.php?module=groups

Edit groups / Add group --> war'axe

<!-- You have an error in your SQL syntax; check the manual that corresponds to your
 MySQL server version for the right syntax to use near 'axe')' at line 1:
insert into phorum_groups (name) values ('war'axe') -->
|受影响的产品
Phorum Phorum 5.1.20
|参考资料

来源:BID
名称:23616
链接:http://www.securityfocus.com/bid/23616
来源:VUPEN
名称:ADV-2007-1479
链接:http://www.frsirt.com/english/advisories/2007/1479
来源:SECUNIA
名称:24932
链接:http://secunia.com/advisories/24932
来源:MISC
链接:http://www.waraxe.us/advisory-49.html
来源:BUGTRAQ
名称:20070419[waraxe-2007-SA#049]-MultiplevulnerabilitiesinPhorum5.1.20
链接:http://www.securityfocus.com/archive/1/archive/1/466286/100/0/threaded
来源:www.phorum.org
链接:http://www.phorum.org/story.php?76
来源:SECTRACK
名称:1017936
链接:http://securitytracker.com/id?1017936
来源:OSVDB
名称:35064
链接:http://osvdb.org/35064
来源:OSVDB
名称:35063
链接:http://osvdb.org/35063
来源:OSVDB
名称:35062
链接:http://osvdb.org/35062
来源:XF
名称:phorum-multiple-scripts-sql-injection(34081)
链接:http://xforce.iss.net/xforce/xfdb/34081
来源:SREASON
名称:2617
链接:http://securityreason.com/securityalert/2617