Slashdot Like Automated Storytelling Homepage Slashcode ID参数SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1186625 漏洞类型 SQL注入
发布时间 2008-06-05 更新时间 2009-02-10
CVE编号 CVE-2008-2231 CNNVD-ID CNNVD-200806-092
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2008060085
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-092
|漏洞详情
SlashdotLikeAutomatedStorytellingHomepage(Slash)(又称Slashcode)R_2_5_0_94以及之前的版本存在SQL注入漏洞。远程攻击者可以借助ID参数,执行任意的SQL指令和读取表格信息。
|漏洞EXP


Hi

I am not sure, if anyone asked for a CVE id for slash yet, if so please point 
to it and disregard this request.

The Slashdote (also just known as Slash) vulnerability was an SQL injection. 
Its effect was to allow a user with no special authorization to read any 
information from any table the Slash site's mysql user was authorized to read 
(which may include other databases, including information_schema).

Upstream announcement:
http://www.slashcode.com/article.pl?sid=08/01/07/2314232

Upstream patch:
http://slashcode.cvs.sourceforge.net/slashcode/slash/Slash/Utility/Environment/Environment.pm?r1=1.223&r2=1.225

Debian Bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484499



Cheers
Steffen
|参考资料

来源:XF
名称:slash-id-sql-injection(42880)
链接:http://xforce.iss.net/xforce/xfdb/42880
来源:www.slashcode.com
链接:http://www.slashcode.com/article.pl?sid=08/01/07/2314232
来源:www.slashcode.com
链接:http://www.slashcode.com/article.pl?sid=08/01/04/1950244&tid=4
来源:SECTRACK
名称:1020206
链接:http://www.securitytracker.com/id?1020206
来源:BID
名称:29548
链接:http://www.securityfocus.com/bid/29548
来源:DEBIAN
名称:DSA-1633
链接:http://www.debian.org/security/2008/dsa-1633
来源:slashcode.cvs.sourceforge.net
链接:http://slashcode.cvs.sourceforge.net/slashcode/slash/Slash/Utility/Environment/Environment.pm?r1=1.223&r2=1.225
来源:SREASON
名称:3923
链接:http://securityreason.com/securityalert/3923
来源:SECUNIA
名称:31691
链接:http://secunia.com/advisories/31691
来源:SECUNIA
名称:30551
链接:http://secunia.com/advisories/30551
来源:MLIST
名称:[oss-security]20080604Re:CVEidrequest:slash
链接:http://marc.info/?l=oss-security&m=121260265427728&w=2
来源:MLIST
名称:[oss-security]20080604CVEidrequest:slash
链接:http://marc.info/?l=oss-security&m=121258731028005