SocialEngine SQL注入漏洞

2008-07-23T00:00:00
ID SSV:3710
Type seebug
Reporter Root
Modified 2008-07-23T00:00:00

Description

BUGTRAQ ID: 30342 CNCAN ID:CNCAN-2008072301

SocialEngine是一款基于PHP的WEB应用程序。 SocialEngine不正确处理用户提交的输入,远程攻击者可以利用漏洞进行SQL注入攻击,可能获得敏感信息或操作数据库。 问题由于脚本对用户提交给WEB参数缺少过滤,构建恶意SQL查询作为参数数据,可更改原来的SQL逻辑,获得敏感信息或操作数据库

Social Engine Social Engine 2.81 Social Engine Social Engine 2.71 Social Engine Social Engine 2.0 可参考如下补丁: Social Engine Social Engine 2.0 Social Engine socialengine283_patch.zip <a href=http://community.socialengine.net/tutorials/socialengine283_patch.zip target=_blank>http://community.socialengine.net/tutorials/socialengine283_patch.zip</a> Social Engine Social Engine 2.81 Social Engine socialengine283_patch.zip <a href=http://community.socialengine.net/tutorials/socialengine283_patch.zip target=_blank>http://community.socialengine.net/tutorials/socialengine283_patch.zip</a> Social Engine Social Engine 2.71 Social Engine socialengine283_patch.zip <a href=http://community.socialengine.net/tutorials/socialengine283_patch.zip target=_blank>http://community.socialengine.net/tutorials/socialengine283_patch.zip</a>