AlstraSoft Affiliate Network Pro 多个输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113344 漏洞类型 SQL注入
发布时间 2007-07-23 更新时间 2007-07-30
CVE编号 CVE-2007-4084 CNNVD-ID CNNVD-200707-512
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/30371
https://www.securityfocus.com/bid/81642
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-512
|漏洞详情
AlstraSoftAffiliateNetworkPro中存在多个SQL注入漏洞。远程攻击者可以借助(1)对merchants/index.php的一个uploadProducts操作中的pgmid参数以及可能的(2)merchants/temp.php中的rowid参数,执行任意SQL指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/25026/info
  
AlstraSoft Affiliate Network Pro is affected by multiple input-validation vulnerabilities. These issues include multiple cross-site scripting isues and SQL-injection issues.
  
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
  
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, access or modify data, or exploit latent vulnerabilities in the underlying database.

http://www.example.com/affiliate/merchants/index.php?Act= uploadProducts&pgmid=41%20or%201=1
|受影响的产品
AlstraSoft Affiliate Network Pro 8.0
|参考资料

来源:BID
名称:25026
链接:http://www.securityfocus.com/bid/25026
来源:OSVDB
名称:37870
链接:http://osvdb.org/37870
来源:OSVDB
名称:37869
链接:http://osvdb.org/37869
来源:MISC
链接:http://lostmon.blogspot.com/2007/07/alstrasoft-multiple-products-multiple.html