glFusion是一个开源的内容管理系统。 glFusion的private/system/lib-session.php模块没有正确地过滤用户所提交的glf_session cookie参数,远程攻击者可以通过向服务器提交恶意请求执行SQL注入攻击。以下是/private/system/lib-session.php的97-117行的有漏洞代码段: ... if (isset ($_COOKIE[$_CONF[' cookie_session' ]])) { $sessid = COM_applyFilter ($_COOKIE[$_CONF[' cookie_session' ]]); if ($_SESS_VERBOSE) { COM_errorLog(" got $sessid as the session id from lib-sessions.php" ,1); } $userid = SESS_getUserIdFromSession($sessid, $_CONF[' session_cookie_timeout' ], $_SERVER[' REMOTE_ADDR' ], $_CONF[' cookie_ip' ]); if ($_SESS_VERBOSE) { COM_errorLog(" Got $userid as User ID from the session ID" ,1); } if ($userid < 1) { // Check user status $status = SEC_checkUserStatus($userid); if (($status == USER_ACCOUNT_ACTIVE) || ($status == USER_ACCOUNT_AWAITING_ACTIVATION)) { $user_logged_in = 1; SESS_updateSessionTime($sessid, $_CONF[' cookie_ip' ]); 在418-436行的SESS_updateSessionTime()函数中: ... function SESS_updateSessionTime($sessid, $md5_based=0) { global $_TABLES; $newtime =...
glFusion是一个开源的内容管理系统。 glFusion的private/system/lib-session.php模块没有正确地过滤用户所提交的glf_session cookie参数,远程攻击者可以通过向服务器提交恶意请求执行SQL注入攻击。以下是/private/system/lib-session.php的97-117行的有漏洞代码段: ... if (isset ($_COOKIE[$_CONF[' cookie_session' ]])) { $sessid = COM_applyFilter ($_COOKIE[$_CONF[' cookie_session' ]]); if ($_SESS_VERBOSE) { COM_errorLog(" got $sessid as the session id from lib-sessions.php" ,1); } $userid = SESS_getUserIdFromSession($sessid, $_CONF[' session_cookie_timeout' ], $_SERVER[' REMOTE_ADDR' ], $_CONF[' cookie_ip' ]); if ($_SESS_VERBOSE) { COM_errorLog(" Got $userid as User ID from the session ID" ,1); } if ($userid < 1) { // Check user status $status = SEC_checkUserStatus($userid); if (($status == USER_ACCOUNT_ACTIVE) || ($status == USER_ACCOUNT_AWAITING_ACTIVATION)) { $user_logged_in = 1; SESS_updateSessionTime($sessid, $_CONF[' cookie_ip' ]); 在418-436行的SESS_updateSessionTime()函数中: ... function SESS_updateSessionTime($sessid, $md5_based=0) { global $_TABLES; $newtime = (string) time(); if ($md5_based == 1) { $sql = " UPDATE {$_TABLES[' sessions' ]} SET start_time=$newtime WHERE (md5_sess_id = ' $sessid' )" ; } else { $sql = " UPDATE {$_TABLES[' sessions' ]} SET start_time=$newtime WHERE (sess_id = $sessid)" ; //<-------- SQL INJECTION HERE } $result = DB_query($sql); return 1; } ... 如果在通用配置中会话id不是md5()哈希(默认配置),就可以注入SQL语句。 在SESS_getUserIdFromSession()函数的查询中: ... if ($md5_based == 1) { $sql = " SELECT uid FROM {$_TABLES[' sessions' ]} WHERE " . " (md5_sess_id = ' $sessid' ) AND (start_time < $mintime) AND (remote_ip = ' $remote_ip' )" ; } else { $sql = " SELECT uid FROM {$_TABLES[' sessions' ]} WHERE " . " (sess_id = ' $sessid' ) AND (start_time < $mintime) AND (remote_ip = ' $remote_ip' )" ; } ... 这个查询将所提供的sessid值与从会话表中的sessid值(整数)做了比较,而在比较时仅考虑了字符串的第一个整数值,因此函数返回了有效的userid。如果知道了表格中已有的sessid的话,就可以如下在cookie中注入查询: Cookie: glf_session=12345678 [SQL HERE]; glfusion=9999999999;
