发布时间 :2001-10-13 00:00:00
修订时间 :2017-07-10 21:29:08

[原文]SQL injection vulnerability in article.php in PostNuke 0.62 through 0.64 allows remote attackers to bypass authentication via the user parameter.


        PostNuke 0.62至0.64版本中article.php存在SQL注入漏洞。远程攻击者借助用户参数绕过认证。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  BUGTRAQ  20011012 Bug in PostNuke 0.62, 0.63 and 0.64 (and possibly PHPnuke)
(UNKNOWN)  BUGTRAQ  20011013 Bug in PostNuke 0.62, 0.63 and 0.64 (and possibly PHPnuke)
(PATCH)  BID  3435
(UNKNOWN)  XF  postnuke-getusrinfo-bypass-authentication(7280)

- 漏洞信息

高危 SQL注入
2001-10-13 00:00:00 2006-04-07 00:00:00
        PostNuke 0.62至0.64版本中article.php存在SQL注入漏洞。远程攻击者借助用户参数绕过认证。

- 公告与补丁

        A fixed version of article.php is available.
        PostNuke Development Team PostNuke 0.64

- 漏洞信息 (21119)

PostNuke 0.6 Unauthenticated User Login Vulnerability (EDBID:21119)
php webapps
2001-10-13 Verified
0 Anonymous
N/A [点击下载]

PostNuke, successor to PHPNuke, is a content management system written in PHP. PostNuke versions 0.62 to 0.64 suffer from a vulnerability that allows a remote user to log-in as any user with known username and ID without authentication. The problem lies in a failure to filter inappropriate characters from variables that can be passed to the program's components by a remote attacker. This allows the attacker to alter a mysql query to the user database, bypassing password checking and assuming the identity of a specified user.

The component "article.php" calls a routine in "mainfile2.php" to update user information (i.e., log the user on) when the variable "save=1" (and the appropriate user ID and name) is specified in the URL. This routine, getusrinfo(), performs a mysql query to load user information from the database. Since part of this query is taken from insecure input that can be passed (in base64 encoded form) to "article.php" by a remote attacker, this query can be altered with the use of a properly placed single quote character followed by mysql statements.

This allows an attacker to bypass the condition "where user=$user3[1] and pass=$user3[2]" of the affected mysql query, for example by appending "or user=USERNAME" to it. 

The attacker must base64 encode the string containing the malformed
User ID, Username and Password combination. The unencoded string would be in the following format (with USERID and USERNAME appropriately replaced):


This encoded string would then be passsed to the article.php script by requesting a URL of the following form (this could be trivially accomplished from a web browser):


Where encodedstring is the previously described base64 encoded string. Base64 encoding can be trivially accomplished with the use of any of a number of simple utilities. 		

- 漏洞信息

PostNuke article.php user Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity Upgrade

- 漏洞描述

PostNuke contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'article.php' script not properly sanitizing user-supplied input to the 'user' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2001-10-12 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.64 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete