[CVE-2012-1002] OpenConf <= 4.11 (author/edit.php) Blind SQL

看板Bugtraq作者n0b0d13s.時間13年前 (2012/05/03 02:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

-------------------------------------------------------------------- OpenConf <= 4.11 (author/edit.php) Blind SQL Injection Vulnerability -------------------------------------------------------------------- author...............: Egidio Romano aka EgiX mail.................: n0b0d13s[at]gmail[dot]com software link........: http://www.openconf.com/ affected versions....: from 4.00 to 4.11 [-] Vulnerable code in /author/edit.php: 104. // get sub 105. $anr = ocsql_query("SELECT * FROM `" . OCC_TABLE_PAPER . "` WHERE `paperid`=" . safeSQLstr($_POST['pid'])) ... 106. if (mysql_num_rows($anr) != 1) { 107. err(oc_('Submission ID or password entered is incorrect')); 108. } 109. $_POST = array_merge($_POST, mysql_fetch_assoc($anr)); User input passed through $_POST['pid'] seems correctly sanitised by the safeSQLstr() function, but in the query at line 105 single quotes aren't used before concatenate the user input into the query string. This can be exploited to conduct a Blind SQL Injection attack. Successful exploitation of this vulnerability requires at least a record into the 'paper' table, and 'Edit Submission' to be enabled. [-] Disclosure timeline: [27/01/2012] - Vulnerability discovered [01/02/2012] - Issue reported to bugs(at)openconf.com [02/02/2012] - Version 4.12 released: http://www.openconf.com/news/#20120202 [02/02/2012] - CVE number requested [02/02/2012] - Assigned CVE-2012-1002 [02/05/2012] - Public disclosure [-] Proof of concept: http://www.exploit-db.com/exploits/18820/

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 n0b0d13s. 的文章

文章代碼(AID): #1FeNPVJA (Bugtraq)