受影响系统:
DeluxeBB DeluxeBB <= 1.2
描述:
DeluxeBB是一款基于PHP的论坛程序。
DeluxeBB的forums.php文件中没有正确地过滤对sort参数的输入便用在了SQL查询中,这允许远程攻击者通过注入任意SQL代码操控SQL查询。
以下是有漏洞的代码段:
108. if(!$sort) {
109. $sort = 'DESC';
110. } elseif($sort=='ASC' || $sort=='DESC') {
111. $add .= '&sort='.$sort;
112. }
113.
114. //calculating pages and navigation
115. $current_count = 0;
116. $tppt = $settings['tppt'];
117.
118. //caching censors
119. if($settings['censors']!=0) {
120. bbcodecache();
121. }
122.
123. //forum info
124. $rows = $db->query("SELECT COUNT(tid) FROM ".$prefix."threads WHERE (lastpostdate>='$posttime' && fid='$fid')");
125. $nrows = $db->result($rows);
126.
127. $pageinfo = multipage($nrows, $page, $settings['tppf'], "forums.php?fid=$fid");
128.
129. include($templatefolder.'/forums_header.dtf');
130.
131. //get and format all threads
132. $threads = $db->query("SELECT t.*,u.username FROM ".$prefix."threads t LEFT JOIN ".$prefix."users u ON (t.author=u.uid)
WHERE (t.fid='$fid' && t.lastpostdate>='$posttime') ORDER BY t.pinned $sort,t.lastpostdate $sort LIMIT $pageinfo[0], $pageinfo[1]");
admincp.php文件中没有正确的过滤对URL的输入便储存在了logs/cp.php中,这允许远程攻击者通过$REQUEST_URI注入并执行任意PHP代码。以下是有漏洞的代码段:
29. if($settings['cplog']==1 || $logs==1) {
30. $time = time();
31. $dir = $settings['logpath'];
32. @chmod($dir.'/cp.php', 0777);
33. $string = $_COOKIE['membercookie']."|##|$ip|##|$time|##|$REQUEST_URI\n";
34. $filehandle=@fopen($dir.'/cp.php',"a");
35. if(!$filehandle) {
36. message($lang_wrongfilepermission, $lang_plschmod);
37. }
38. @flock($filehandle, 2);
39. @fwrite($filehandle, $string);
40. @fclose($filehandle);
41. }
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.deluxebb.com/
