PHPGroupWare <= 0.9.16.016 phpgwapi/inc/多个SQL注入漏洞

2010-05-21T00:00:00
ID SSV:19667
Type seebug
Reporter Root
Modified 2010-05-21T00:00:00

Description

BUGTRAQ ID: 40168 CVE ID: CVE-2010-0404

phpGroupWare是一个用PHP编写的多用户的网络组件,为开发其他程序提供了一个API。

phpGroupWare phpgwapi/inc/目录下的多个脚本没有正确的过滤用户所提交参数,远程攻击者可以通过提交恶意查询请求执行SQL注入攻击。

1) 没有正确地过滤提交给多个脚本的sessionid参数便在phpgwapi/inc/class.sessions_db.inc.php的SQL查询中使用。

2) 没有正确地过滤多个URL参数便在phpgwapi/inc/class.sessions_db.inc.php的SQL查询中使用。

3) 在更新偏好时没有正确的过滤提交给preferences/preferences.php的user[lang]参数便在phpgwapi/inc /class.translation_sql.inc.php的SQL查询中使用。

4) 在设置了sessionid和kp3的情况下,没有正确地过滤提交给preferences/preferences.php的appname参数便在 phpgwapi/inc/class.translation_sql.inc.php的SQL查询中使用。

5) 没有正确地过滤提交给login.php的login参数便在phpgwapi/inc/class.auth_sql.inc.php的SQL查询中使用。

PHPGroupWare < 0.9.16.016 厂商补丁:

Debian

Debian已经为此发布了一个安全公告(DSA-2046-1)以及相应补丁: DSA-2046-1:phpgroupware: Multiple vulnerabilities 链接:http://www.debian.org/security/2010/dsa-2046

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg.orig.tar.gz Size/MD5 checksum: 19383160 bbfcfa12aca69b4032d7b4d38aeba85f http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny2.dsc Size/MD5 checksum: 1662 1a1ff2d6badf454ba2b948ee1268e57b http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny2.diff.gz Size/MD5 checksum: 74293 9ba66bc79bc0f5bb6454a3372bc2bfd8

Architecture independent packages:

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-filemanager_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 91562 51f6a2473368c6c21d19b8fd6349635f http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-phpgwapi-doc_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 7985242 c19ed260050702c356c4d14db87e3f0d http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 20158 c09431d20a4d833841340ea79e03854d http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-setup_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 281402 2fc54aa2367098332f67b846b17d8c7a http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core-base_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 48876 41cc095cbbc3bd97ae36754405df60b9 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-email_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 1167580 4b63e0460fb590082a29391d26331b1e http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-phpgwapi_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 1529004 52216c8fa04c49ebf2d5d12aa6a8013a http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 22522 783f747d25f32fe4024db807a0727261 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 4726 0a3140a4bdc80c8b421ef865c1f730d3 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-doc_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 130240 dc11591ae411a496bc5828d88eaed65d http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-todo_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 50810 b632b74158236fea55b5014830c26369 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-preferences_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 60432 8355e743ea535fbb8b5afef5bcb196bb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-manual_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 93564 f44dbd8f6b2902d4980c4ec23d955d02 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-news-admin_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 41194 9ed410fd27d8e0c7430a90fa2eaabb70 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-calendar_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 270288 ffa447f1b07658090d9acdec93ef31a5 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-admin_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 188302 84057847fe79ad066a751a0b5f1abef7 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-addressbook_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 176400 0294b85b1e34e7879edbc4ee832dfa43 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-notes_0.9.16.012+dfsg-8+lenny2_all.deb Size/MD5 checksum: 33074 95aff5b1efc3ba4eeb3a5756549ae070

补丁安装方法:

  1. 手工安装补丁包:

首先,使用下面的命令来下载补丁软件: # wget url (url是补丁下载链接地址)

然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)

  1. 使用apt-get自动安装补丁包:

首先,使用下面的命令更新内部数据库: # apt-get update

然后,使用下面的命令安装更新软件包: # apt-get upgrade

PHPGroupWare

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://prdownloads.sourceforge.net/phpgroupware/phpgroupware-0.9.16.016.tar.bz2