glFusion 1.3.0 – ‘search.php?cat_id’ SQL Injection - 体验盒子

作者： Omar Kurt

日期： 2013-09-10

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/28185/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

Information

--------------------

Name :SQL Injection Vulnerability in glFusion

Software :glFusion 1.3.0 and possibly below.

Vendor Homepage : http://www.glfusion.org

Vulnerability Type :Blind SQL Injection

Severity :Critical

Researcher :Omar Kurt

Advisory Reference :NS-13-009

Description

--------------------

A dynamic system based on flexible and granular permissions, with spam

protection, forums, file management, media gallery, calendars, polls,

site-wide search, RSS feeds, and more!

Details

--------------------

glFusion is affected by SQL Injection vulnerability in version 1.3.0.

Example PoC url is as follows:

Blind SQL Injection Vulnerability

http://example.com/mediagallery/search.php

POST - param:

cat_id='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'

You can read the full article about SQL Injection vulnerabilities from here

:

http://www.mavitunasecurity.com/sql-injection/

Solution

--------------------

http://www.glfusion.org/article.php/glfusion131

Advisory Timeline

--------------------

05/09/2013 - First contact: No response

05/09/2013 - Vendor replied

05/09/2013 - Shared details

06/09/2013 - Fix released

09/09/2013 - Advisory Released

Credits

--------------------

It has been discovered on testing of Netsparker, Web Application Security

Scanner - http://www.mavitunasecurity.com/netsparker/.

References

--------------------

MSL Advisory Link :

https://www.mavitunasecurity.com/sql-injection-vulnerability-in-glfusion/

Netsparker Advisories :

http://www.mavitunasecurity.com/netsparker-advisories/

About Netsparker

--------------------

Netsparker® can find and report security issues such as SQL Injection and

Cross-site Scripting (XSS) in all web applications regardless of the

platform and the technology they are built on. Netsparker's unique

detection and exploitation techniques allows it to be dead accurate in

reporting hence it's the first and the only False Positive Free web

application security scanner.

--

Netsparker Advisories, <advisories@mavitunasecurity.com>

Homepage, http://www.mavitunasecurity.com/netsparker-advisories/