PostNuke 'Admin.PHP' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193324 漏洞类型 SQL注入
发布时间 2006-10-03 更新时间 2006-12-04
CVE编号 CVE-2006-5121 CNNVD-ID CNNVD-200610-022
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/20317
https://cxsecurity.com/issue/WLB-2006100035
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-022
|漏洞详情
PostNuke0.762的Admin区段中modules/Downloads/admin.php内存在SQL注入漏洞。远程攻击者可以通过hits参数执行任意SQL命令。
|漏洞EXP
Hi,
There is a sql injection bug in PostNuke 0.762 admin section (and maybe
before versions) .
The "hits" parameter is not checked properly before be used in sql query :

File /modules/Downloads/admin.php, Line 1586 :
::     $dbconn->Execute("INSERT INTO $downtable
::                         ($column[lid],
::                          $column[cid],
::                          $column[sid],
::                          $column[title],
::                          $column[url],
::                          $column[description],
::                          $column[date],
::                          $column[name],
::                          $column[email],
::                          $column[hits],
::                          $column[submitter],
::                          $column[downloadratingsummary],
::                          $column[totalvotes],
::                          $column[totalcomments],
::                          $column[filesize],
::                          $column[version],
::                          $column[homepage])
::                       VALUES
::                         (" . (int)pnVarPrepForStore($newid) . ",
::                          " . (int)pnVarPrepForStore($cat[0]) .",
::                          " . (int)pnVarPrepForStore($cat[1]) .",
::                          '" . pnVarPrepForStore($title) . "',
::                          '" . pnVarPrepForStore($url) . "',
::                          '" . pnVarPrepForStore($description) . "',
::                           " . $dbconn->DBTimestamp(time()) . ",
::                          '" . pnVarPrepForStore($name) . "',
::                          '" . pnVarPrepForStore($email) . "',
**                           " . pnVarPrepForStore($hits) . ",
::                          '" . pnVarPrepForStore($submitter) . "',
::                          0,
::                          0,
::                          0,
::                          '" . pnVarPrepForStore($filesize) . "',
::                          '" . pnVarPrepForStore($version) . "',
::                          '" . pnVarPrepForStore($homepage) . "')");

The bug is in admin section, so it doesnt seem to be critical .
Also, "PostNuke 0.800 Milestone 2" has been released .

- Omid
|受影响的产品
PostNuke PostNuke CMS 0.762
|参考资料

来源:XF
名称:postnuke-admin-sql-injection(29271)
链接:http://xforce.iss.net/xforce/xfdb/29271
来源:BID
名称:20317
链接:http://www.securityfocus.com/bid/20317
来源:BUGTRAQ
名称:20060929SqlinjectioninPostNuke[Adminsection]
链接:http://www.securityfocus.com/archive/1/archive/1/447361/100/0/threaded
来源:VUPEN
名称:ADV-2006-3886
链接:http://www.frsirt.com/english/advisories/2006/3886
来源:SECUNIA
名称:22197
链接:http://secunia.com/advisories/22197
来源:SREASON
名称:1669
链接:http://securityreason.com/securityalert/1669
来源:community.postnuke.com
链接:http://community.postnuke.com/index.php?name=News&file=article&sid=2783