AkoComment 'akocomment.PHP'多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195604 漏洞类型 SQL注入
发布时间 2006-03-28 更新时间 2006-04-07
CVE编号 CVE-2006-1421 CNNVD-ID CNNVD-200603-451
漏洞平台 N/A CVSS评分 5.1
|漏洞来源
https://cxsecurity.com/issue/WLB-2006030117
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-451
|漏洞详情
在Mambo的AkoComment2.0模块中的akocomment.php中存在多个SQL注入漏洞,当magic_quotes_gpc无效时,远程攻击者可通过(1)acname或(2)contentid参数执行任意SQL命令。
|漏洞EXP
AkoComment is a well known and widely used add-on for the Mambo and
Joomla Content Management Systems. It allows users to post comments to
articles.

AkoComment 2.0 suffers from an SQL injection vulnerability
(components/com_akocomment/akocomment.php):

# Clear any HTML and SQL injections
    $title   = strip_tags($title);
    $comment = strip_tags($comment);
    $title   = mysql_escape_string($title);
    $comment = mysql_escape_string($comment);

# Perform database query
    $date      = date( "Y-m-d H:i:s" );
    $ip        = getenv('REMOTE_ADDR');
    $query2 = "INSERT INTO #__akocomment SET contentid='$contentid',
ip='$ip', name='$acname', title='$title', comment='$comment',
date='$date', published='$ac_autopublish';";
    $database->setQuery( $query2 );
    $database->query();

While the user provided comment and comment title is properly
sanitized, the client provided $acname and $contentid are not. These
correspond to hidden, value-prefilled FORM variables in the akocomment
created html form.

It is widely known that just because the values are hidden and not
changeable in a standard web browser doesn't mean they are not client
provided and thus aren't trivially modified.

Since the variables are not sanitized in any way the SQL injection
itself is straight-forward, provided magic_quotes_gpc = off.

Solution:

To fix this vulnerability put the following lines before the "#
Perform database query" line:
    $contentid = intval(strip_tags($contentid));
    $acname = mysql_escape_string(strip_tags($acname));

--
Stefan Keller <skeller (at) pobox (dot) com [email concealed]>
|参考资料

来源:BID
名称:17241
链接:http://www.securityfocus.com/bid/17241
来源:BUGTRAQ
名称:20060326AkoCommentSQLinjectionvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/428893/100/0/threaded
来源:XF
名称:akocomment-akocomment-sql-injection(25451)
链接:http://xforce.iss.net/xforce/xfdb/25451
来源:VUPEN
名称:ADV-2006-1136
链接:http://www.frsirt.com/english/advisories/2006/1136
来源:SECUNIA
名称:19392
链接:http://secunia.com/advisories/19392
来源:OSVDB
名称:24209
链接:http://www.osvdb.org/24209
来源:SREASON
名称:631
链接:http://securityreason.com/securityalert/631