CVE-2001-1460
CVSS7.5
发布时间 :2001-10-13 00:00:00
修订时间 :2008-09-05 16:26:37
NMCOE    

[原文]SQL injection vulnerability in article.php in PostNuke 0.62 through 0.64 allows remote attackers to bypass authentication via the user parameter.


[CNNVD]PostNuke未认证的用户登录漏洞(CNNVD-200110-048)

        PostNuke 0.62至0.64版本中article.php存在SQL注入漏洞。远程攻击者借助用户参数绕过认证。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:postnuke_software_foundation:postnuke:0.64
cpe:/a:postnuke_software_foundation:postnuke:0.63
cpe:/a:postnuke_software_foundation:postnuke:0.62

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1460
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1460
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200110-048
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/921547
(VENDOR_ADVISORY)  CERT-VN  VU#921547
http://xforce.iss.net/xforce/xfdb/7280
(PATCH)  XF  postnuke-getusrinfo-bypass-authentication(7280)
http://www.securityfocus.com/bid/3435
(PATCH)  BID  3435
http://archives.neohapsis.com/archives/bugtraq/2001-10/0088.html
(PATCH)  BUGTRAQ  20011012 Bug in PostNuke 0.62, 0.63 and 0.64 (and possibly PHPnuke)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0091.html
(UNKNOWN)  BUGTRAQ  20011013 Bug in PostNuke 0.62, 0.63 and 0.64 (and possibly PHPnuke)

- 漏洞信息

PostNuke未认证的用户登录漏洞
高危 SQL注入
2001-10-13 00:00:00 2006-04-07 00:00:00
远程  
        PostNuke 0.62至0.64版本中article.php存在SQL注入漏洞。远程攻击者借助用户参数绕过认证。

- 公告与补丁

        A fixed version of article.php is available.
        PostNuke Development Team PostNuke 0.64
        

- 漏洞信息 (21119)

PostNuke 0.6 Unauthenticated User Login Vulnerability (EDBID:21119)
php webapps
2001-10-13 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/3435/info

PostNuke, successor to PHPNuke, is a content management system written in PHP. PostNuke versions 0.62 to 0.64 suffer from a vulnerability that allows a remote user to log-in as any user with known username and ID without authentication. The problem lies in a failure to filter inappropriate characters from variables that can be passed to the program's components by a remote attacker. This allows the attacker to alter a mysql query to the user database, bypassing password checking and assuming the identity of a specified user.

The component "article.php" calls a routine in "mainfile2.php" to update user information (i.e., log the user on) when the variable "save=1" (and the appropriate user ID and name) is specified in the URL. This routine, getusrinfo(), performs a mysql query to load user information from the database. Since part of this query is taken from insecure input that can be passed (in base64 encoded form) to "article.php" by a remote attacker, this query can be altered with the use of a properly placed single quote character followed by mysql statements.

This allows an attacker to bypass the condition "where user=$user3[1] and pass=$user3[2]" of the affected mysql query, for example by appending "or user=USERNAME" to it. 

The attacker must base64 encode the string containing the malformed
User ID, Username and Password combination. The unencoded string would be in the following format (with USERID and USERNAME appropriately replaced):

USERID:USERNAME:' or uname='USERNAME

This encoded string would then be passsed to the article.php script by requesting a URL of the following form (this could be trivially accomplished from a web browser):

http://targethost/article.php?save=1&sid=20&cookieusrtime=160000&user=USERID:encodedstring

Where encodedstring is the previously described base64 encoded string. Base64 encoding can be trivially accomplished with the use of any of a number of simple utilities. 		

- 漏洞信息

20208
PostNuke article.php user Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity Upgrade

- 漏洞描述

PostNuke contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'article.php' script not properly sanitizing user-supplied input to the 'user' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2001-10-12 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.64 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站