Mon Album 多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195543 漏洞类型 SQL注入
发布时间 2006-04-02 更新时间 2006-04-03
CVE编号 CVE-2006-1585 CNNVD-ID CNNVD-200604-001
漏洞平台 N/A CVSS评分 6.4
|漏洞来源
https://cxsecurity.com/issue/WLB-2006040004
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-001
|漏洞详情
借助于(1)在(a)index.php中的pc参数,(2)pnom,(3)pcpurricel,和(4)image_agrandir.php中的pcommentaire参数,MonAlbum0.8.7中的多个SQL注入漏洞允许远程攻击者执行任意SQL命令。
|漏洞EXP
advisory by undefined1_ @ bash-x.net/undef/

Mon Album 0.8.7
http://www.3dsrc.com/monalbum/

There are 2 sql injection flaws in MonAlbum 0.8.7. First in index.php (line 99)
if (isset($_GET["pc"])) $pc = $_GET["pc"];

... (no sanity checks)

if (isset($pc) && $grech_inactive) $result = execute_requete("select id_rub, nom, commentaire from monalbum_rubrique where ( nom like "%$pc%" or commentaire like "%$pc%" ) and (id_rub_mere <> 0 and id_rub <> 0) limit " . $deb . ", ". ($ghor*$gvert));

The second flaw is located in the comments system in image_agrandir.php (line 228)
$pnom = $_POST['pnom'];
$pcourriel = $_POST['pcourriel'];
$pcommentaire = $_POST['pcommentaire'];

... (no sanity checks)

execute_requete("insert into monalbum_commentaire (id_image, nom, courriel, commentaire, date_com) values ($id_image, "$pnom","$pcourriel", "".addslashes($pcommentaire)."", "".date("Y-m-d")."" )");
|参考资料

来源:XF
名称:monalbum-image-imageagrandir-sql-injection(25572)
链接:http://xforce.iss.net/xforce/xfdb/25572
来源:BUGTRAQ
名称:20060331MonAlbum0.8.7SQLInjection
链接:http://www.securityfocus.com/archive/1/archive/1/429475/100/0/threaded
来源:BID
名称:17327
链接:http://www.securityfocus.com/bid/17327
来源:VUPEN
名称:ADV-2006-1206
链接:http://www.frsirt.com/english/advisories/2006/1206
来源:MISC
链接:http://www.bash-x.net/undef/adv/monalbum.html
来源:SREASON
名称:660
链接:http://securityreason.com/securityalert/660
来源:SECUNIA
名称:19503
链接:http://secunia.com/advisories/19503