BUGTRAQ ID: 32348
vBulletin是一款开放源代码的PHP论坛程序。
vBulletin论坛的admincp/admincalendar.php文件没有正确地验证用户提交参数:
-------------------[original source code]------------------
if($_POST['do'] == 'saveholiday')
{
$vbulletin->input->clean_array_gpc('p', array(
'holidayid' => TYPE_INT,
'holidayinfo' => TYPE_ARRAY,
'month1' => TYPE_INT,
'day1' => TYPE_INT,
'month2' => TYPE_INT,
'day2' => TYPE_INT,
'period' => TYPE_INT,
'title' => TYPE_STR,
'description' => TYPE_STR,
));
..
$db->query_write("
UPDATE " . TABLE_PREFIX . "holiday
SET allowsmilies = " . $vbulletin->GPC['holidayinfo']['allowsmilies'] . ",
recuroption = '" . $vbulletin->GPC['holidayinfo']['recuroption'] . "',
recurring = " . $vbulletin->GPC['holidayinfo']['recurring'] . "
WHERE holidayid = " . $vbulletin->GPC['holidayid']
);
------------------[/original source code]------------------
可见未经任何过滤便在UPDATE查询中使用了来自$_POST的数组类型变量holidayinfo,这允许远程攻击者通过提交恶意请求执行SQL注入攻击。
VBulletin 3.7.3 pl1
VBulletin
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
<a href=http://www.vbulletin.com/ target=_blank>http://www.vbulletin.com/</a>
共 1 兑换
京公网安备 11010502034610号
暂无评论