PHP-Fusion Register.PHP和FAQ.PHP SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1197687 漏洞类型 SQL注入
发布时间 2005-10-06 更新时间 2006-06-14
CVE编号 CVE-2005-3161 CNNVD-ID CNNVD-200510-053
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2005100014
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-053
|漏洞详情
PHP-Fusion是一个轻量级开源内容管理系统。PHP-Fusion6.00.110之前版本存在多个SQL注入漏洞。远程攻击者可以借助(1)register.php中的activate参数和(2)faq.php中的cat_id参数,执行任意SQL指令。
|漏洞EXP
======================================================================

Secunia Research 06/10/2005

- PHP-Fusion Two SQL Injection Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerabilities.......................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

PHP-Fusion 6.00.109

Other versions may also be affected.

======================================================================
2) Severity

Rating: Moderately critical
Impact: Manipulation of data
Where:  Remote

======================================================================
3) Vendor's Description of Software

A light-weight open-source content management system (CMS) written 
in PHP.

Product link:
http://www.php-fusion.co.uk/

======================================================================
4) Description of Vulnerabilities

Secunia Research has discovered two vulnerabilities in PHP-Fusion, 
which can be exploited by malicious people to conduct SQL injection 
attacks.

Input passed to the "activate" parameter in "register.php" and the 
"cat_id" parameter in "faq.php" isn't properly sanitised before being 
used in a SQL query. This can be exploited to manipulate SQL queries 
by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerabilities have been confirmed in version 6.00.109. Other 
versions may also be affected.

======================================================================
5) Solution

Update to version 6.00.110.
http://www.php-fusion.co.uk/downloads.php?cat_id=3

======================================================================
6) Time Table

04/10/2005 - Vulnerabilities discovered.
05/10/2005 - Vendor notified.
05/10/2005 - Vendor confirms vulnerabilities.
06/10/2005 - Public disclosure.

======================================================================
7) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2005-52/advisory/

======================================================================
|参考资料

来源:BID
名称:15018
链接:http://www.securityfocus.com/bid/15018
来源:www.php-fusion.co.uk
链接:http://www.php-fusion.co.uk/news.php?readmore=261
来源:SECUNIA
名称:17055
链接:http://secunia.com/advisories/17055
来源:XF
名称:phpfusion-faq-register-sql-injection(22532)
链接:http://xforce.iss.net/xforce/xfdb/22532
来源:OSVDB
名称:19867
链接:http://www.osvdb.org/19867
来源:OSVDB
名称:19866
链接:http://www.osvdb.org/19866
来源:MISC
链接:http://secunia.com/secunia_research/2005-52/advisory/
来源:SREASON
名称:54
链接:http://securityreason.com/securityalert/54