Addalink 多个权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116132 漏洞类型 授权问题
发布时间 2008-09-17 更新时间 2008-09-24
CVE编号 CVE-2008-4146 CNNVD-ID CNNVD-200809-335
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/6482
https://www.securityfocus.com/bid/84846
https://cxsecurity.com/issue/WLB-2008090155
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-335
|漏洞详情
Addalink1.0beta4及其早期版本允许远程攻击者(1)通过一个修改的经核准的文件来允许网站添加以及(2)通过一个修改的计算机文件来改变visit-counter值。
|漏洞EXP
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
addalink <= 4 - beta / Write approved links without a previous moderation by the admin
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

$ Program: addalink
$ Version: <= 4 - beta
$ File affected: add_link.php
$ Download: http://sourceforge.net/projects/addalink/


Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org

Linklist is a miniwebsite that you can use in your webpage. Basically it 
manages a database of links using PHP+MySQL. Users can send links (url, 
description, etc) by a form and one admin has to approve or delete the 
links before the publication in the website.

One not very important problem is that add_link.php doesn't test the 
method used (GET or POST). But the real problem is the method to insert 
some values. 

Reading the code you can see the SQL sentence:

INSERT INTO $linktable VALUES('0','$url','$linkname','$approved=0','$email',
            '$counter=0','$description','$ip','$date','$category_id','0')";

It asign values to approved and counter directly in the SQL sentence. For that,
you can enter links approved without moderation writing this:

http://domain/add_link.php?url=http://www.domain.com&linkname=name_of_the_link
&approved=1&email=my@email.com&description=blablablablablablabla&category_id=1

Also you can alter the counter of visits if you add &counter=XXXX to the GET


-= Solution =-


$approved = 0;
$counter = 0;

INSERT INTO $linktable VALUES('0','$url','$linkname','$approved','$email',
            '$counter','$description','$ip','$date','$category_id','0')";

# milw0rm.com [2008-09-17]
|受影响的产品
Addalink Addalink 1.0 Beta4
|参考资料

来源:XF
名称:addalink-addlink-security-bypass(45246)
链接:http://xforce.iss.net/xforce/xfdb/45246
来源:MILW0RM
名称:6482
链接:http://www.milw0rm.com/exploits/6482
来源:VUPEN
名称:ADV-2008-2606
链接:http://www.frsirt.com/english/advisories/2008/2606
来源:SREASON
名称:4295
链接:http://securityreason.com/securityalert/4295