CVE-2006-2911
CVSS7.5
发布时间 :2006-06-21 15:02:00
修订时间 :2011-03-07 21:37:17
NMCOPS    

[原文]SQL injection vulnerability in controlpanel/index.php in CMS Mundo before 1.0 build 008 allows remote attackers to execute arbitrary SQL commands via the username parameter.


[CNNVD]CMS Mundo index.php SQL注入漏洞(CNNVD-200606-397)

        CMS Mundo 1.0 build 008之前版本中的controlpanel/index.php存在SQL注入漏洞,远程攻击者可通过username参数来执行任意SQL命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:hotwebscripts:cms_mundo:1.0
cpe:/a:hotwebscripts:cms_mundo:1.0_build_007

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2911
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2911
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-397
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18451
(PATCH)  BID  18451
http://www.vupen.com/english/advisories/2006/2348
(UNKNOWN)  VUPEN  ADV-2006-2348
http://securitytracker.com/id?1016311
(UNKNOWN)  SECTRACK  1016311
http://secunia.com/secunia_research/2006-43/advisory/
(VENDOR_ADVISORY)  MISC  http://secunia.com/secunia_research/2006-43/advisory/
http://xforce.iss.net/xforce/xfdb/27093
(UNKNOWN)  XF  cmsmundo-username-sql-injection(27093)
http://www.securityfocus.com/archive/1/archive/1/437183/100/200/threaded
(UNKNOWN)  BUGTRAQ  20060614 Secunia Research: CMS Mundo SQL Injection and File UploadVulnerabilities
http://www.osvdb.org/26464
(UNKNOWN)  OSVDB  26464
http://secunia.com/advisories/20362
(UNKNOWN)  SECUNIA  20362

- 漏洞信息

CMS Mundo index.php SQL注入漏洞
高危 SQL注入
2006-06-21 00:00:00 2006-06-22 00:00:00
远程  
        CMS Mundo 1.0 build 008之前版本中的controlpanel/index.php存在SQL注入漏洞,远程攻击者可通过username参数来执行任意SQL命令。

- 公告与补丁

        厂商已发布1.0 build 008 版本来解决此问题。厂商已发布1.0 build 008 版本来解决此问题。

- 漏洞信息 (F47542)

secunia-cmsMundo.txt (PacketStormID:F47542)
2006-06-21 00:00:00
Andreas Sandblad  secunia.com
advisory,vulnerability,sql injection
CVE-2006-2911,CVE-2006-2931
[点击下载]

Secunia Research has discovered two vulnerabilities in CMS Mundo version 1.0 build 007, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system.

======================================================================

                     Secunia Research 14/06/2006

     - CMS Mundo SQL Injection and File Upload Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

CMS Mundo 1.0 build 007

Prior versions may also be affected.

Product Link:
http://www.hotwebscripts.com/index.php?mod=webshop&function=
showDetails&id=76

======================================================================
2) Severity

Rating: Highly critical
Impact: System access, manipulation of data
Where:  From remote

======================================================================
3) Description of Vulnerabilities

Secunia Research has discovered two vulnerabilities in CMS Mundo, 
which can be exploited by malicious people to conduct SQL injection 
attacks and compromise a vulnerable system.

1) Input passed to the "username" parameter in "controlpanel/" 
during login isn't properly sanitised before being used in a 
SQL query. This can be exploited to manipulate SQL queries by 
injecting arbitrary SQL code.

This can further be exploited to bypass the authentication process 
and access the administration section (by e.g. providing 
"admin ' /*" as the username together with an empty password).

Successful exploitation requires that "magic_quotes_gpc" is disabled.

2) An input validation error in the image upload handling in the 
image gallery can be exploited to upload arbitrary PHP scripts to a 
predictable location inside the web root.

Successful exploitation requires access to the administration section.

A combination of vulnerabilities #1 and #2 can be exploited by a 
malicious person to execute arbitrary PHP code on a vulnerable system.

The vulnerabilities have been confirmed in version 1.0 build 007. 
Prior versions may also be affected.

======================================================================
4) Solution

Update to version 1.0 build 008.

======================================================================
5) Time Table

30/05/2006 - Initial vendor notification.
30/05/2006 - Vendor confirms vulnerabilities.
14/06/2006 - Public disclosure.

======================================================================
6) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2006-2911 (SQL injection) and 
CVE-2006-2931 (arbitrary file upload) for the vulnerabilities.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-43/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

    

- 漏洞信息

26464
CMS Mundo controlpanel/ username Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

CMS Mundo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to controlpanel/ not properly sanitizing user-supplied input to the 'username' variable during login procedure. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2006-06-14 Unknow
2006-06-14 Unknow

- 解决方案

Upgrade to version 1.0 build 008 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

CMS MUNDO Control Panel SQL Injection Vulnerability
Input Validation Error 18451
Yes No
2006-06-14 12:00:00 2006-06-20 07:40:00
Adreas Sandblad of Secunia Research is credited with this discovery of this vulnerability.

- 受影响的程序版本

hotwebscripts CMS Mundo 1.0 build 007
hotwebscripts CMS Mundo 1.0
hotwebscripts CMS Mundo 1.0 build 008

- 不受影响的程序版本

hotwebscripts CMS Mundo 1.0 build 008

- 漏洞讨论

CMS Mundo is prone an SQL injection vulnerability.

An attacker can gain administrative access to the application through exploiting this vulnerability. Other attacks are also possible, depending on the nature of the affected query and the underlying database implementation.

- 漏洞利用

These issues can be exploited through a web client.

- 解决方案

The vendor has released version 1.0 build 008 to address this issue.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站