SQL-Ledger sql-ledger-[username] cookie的值与sessionid参数会话绕过身份认证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193684 漏洞类型 授权问题
发布时间 2006-08-30 更新时间 2007-01-25
CVE编号 CVE-2006-4244 CNNVD-ID CNNVD-200608-483
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/19758
https://cxsecurity.com/issue/WLB-2006080179
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-483
|漏洞详情
SQL-Ledger2.4.4至2.6.17版本通过验证sql-ledger-[username]cookie的值与sessionid参数的值相匹配来认证用户,远程攻击者可通过将该cookie和参数设为相同值来获取任何登录用户的访问权限。
|漏洞EXP
Hi;

This post is to inform everyone that there is a serious security hole that has been discovered in SQL-Ledger involving session handling.  The flaw allows anyone with network access to the server to access the application as any logged in user using trivial mechanisms.  I have previously brought this flaw up with Dieter several months ago, and since it is still an issue, I have sent him a fix that a few of us have prepared.  This fix was prepared by myself and Christopher Murtagh with the help of a few testers.

In the mean time, we recommend that people take the following precautions:

1)  DO NOT allow unauthorized users access to the SQL-Ledger application.    Use .htaccess files or network mechanisms to prevent unauthorized access to the application or server.

2)  If different departments require different levels of access, move departmental roles into separate applications, and enforce permissions accordingly.  The different installations can access the same database, however.

Full disclosure will follow two weeks from yesterday.

Best Wishes,

Chris Travers

Metatron Technology Consulting
|受影响的产品
SQL-Ledger SQL-Ledger 2.6.17 SQL-Ledger SQL-Ledger 2.4.7 Debian Linux 3.1
|参考资料

来源:XF
名称:sql-ledger-session-unauth-access(28671)
链接:http://xforce.iss.net/xforce/xfdb/28671
来源:www.sql-ledger.org
链接:http://www.sql-ledger.org/cgi-bin/nav.pl?page=news.html&title=What%27s%20New
来源:BID
名称:19758
链接:http://www.securityfocus.com/bid/19758
来源:BUGTRAQ
名称:20060830SQL-Ledgerserioussecurityvulnerabilityandworkaround
链接:http://www.securityfocus.com/archive/1/archive/1/444741/100/0/threaded
来源:BUGTRAQ
名称:20060907FullDisclosureforSQL-LedgervulnerabilityCVE-2006-4244
链接:http://www.securityfocus.com/archive/1/445512
来源:SREASON
名称:1472
链接:http://securityreason.com/securityalert/1472
来源:SECUNIA
名称:21689
链接:http://secunia.com/advisories/21689