首页 -> 安全研究
安全研究
安全漏洞
PHP-Nuke发送邮件可注入CRLF串漏洞
发布日期:2002-12-20
更新日期:2002-12-27
受影响系统:
Francisco Burzi PHP-Nuke 6.5 BETA1描述:
Francisco Burzi PHP-Nuke 6.0
BUGTRAQ ID: 6446
PHP-Nuke是一个网站创建和管理工具,它可以使用很多数据库软件作为后端,比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。
PHP-Nuke中的邮件实现功能对用户输入缺少正确检查,远程攻击者可以利用这个漏洞嵌入CR/LF字符并在后面增加任意邮件头信息。
php-Nuke中有不少功能必须发送EMAIL,如FeedBack,Recommand Us等。使用的PHP mail()函数第四个参数包含附加的邮件头,而没有其他参数用于邮件头传递。在这种情况下,它可以用于增加From和Reply-To头信息。当PHP-Nuke构建这个参数时,没有检查Form数据中是否使用了CR/LF字符,结果可导致攻击者提供额外邮件头数据,甚至是邮件体,这些信息将包含真实邮件头和真实邮件体之间。利用这个漏洞,攻击者可以构建恶意邮件发送HTML邮件给任意用户。
<*来源:Ulf Harnhammer (ulfh@update.uu.se)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104040301624022&w=2
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* Ulf Harnhammer提供如下第三方补丁:
--- html/mainfile.php.old Thu Dec 19 19:17:10 2002
+++ html/mainfile.php Thu Dec 19 19:24:00 2002
@@ -870,4 +870,13 @@
return($ThemeSel);
}
-?>
\ No newline at end of file
+#
+# Security fix
+# Ulf Harnhammar, VSU Security 2002
+#
+
+function removecrlf($str) {
+ return strtr($str, "\015\012", ' ');
+}
+
+?>
--- html/modules/Feedback/index.php.old Thu Dec 19 19:26:44 2002
+++ html/modules/Feedback/index.php Thu Dec 19 19:28:34 2002
@@ -69,6 +69,8 @@
$send = "no";
}
if ($send != "no") {
+ $sender_name = removecrlf($sender_name); # Security fix
+ $sender_email = removecrlf($sender_email);
$msg = "$sitename\n\n";
$msg .= ""._SENDERNAME.": $sender_name\n";
$msg .= ""._SENDEREMAIL.": $sender_email\n";
@@ -93,4 +95,4 @@
CloseTable();
include("footer.php");
-?>
\ No newline at end of file
+?>
--- html/modules/Journal/friend.php.old Thu Dec 19 21:23:27 2002
+++ html/modules/Journal/friend.php Thu Dec 19 21:25:22 2002
@@ -38,6 +38,11 @@
list ($jtitle) = sql_fetch_row($result, $dbi);
if ($send == 1) {
+ $fname = removecrlf($fname); # Security fix
+ $fmail = removecrlf($fmail);
+ $yname = removecrlf($yname);
+ $ymail = removecrlf($ymail);
+
$subject = ""._INTERESTING." $sitename";
$message = ""._HELLO." $fname:\n\n"._YOURFRIEND." $yname "._CONSIDERED."\n\n\n$jtitle\n"._URL.":
$nukeurl/modules.php?name=$module_name&file=display&jid=$jid\n\n\n"._AREMORE."\n\n---\n$sitename\n$nukeurl";
mail($fmail, $subject, $message, "From: \"$yname\" <$ymail>\nX-Mailer: PHP/" . phpversion());
@@ -82,4 +87,4 @@
journalfoot();
-?>
\ No newline at end of file
+?>
--- html/modules/News/friend.php.old Thu Dec 19 20:05:53 2002
+++ html/modules/News/friend.php Thu Dec 19 20:16:24 2002
@@ -50,6 +50,11 @@
function SendStory($sid, $yname, $ymail, $fname, $fmail) {
global $sitename, $nukeurl, $prefix, $dbi, $module_name;
+ $fname = removecrlf($fname); # Security fix
+ $fmail = removecrlf($fmail);
+ $yname = removecrlf($yname);
+ $ymail = removecrlf($ymail);
+
$result2=sql_query("select title, time, topic from ".$prefix."_stories where sid=$sid",
$dbi);
list($title, $time, $topic) = sql_fetch_row($result2, $dbi);
@@ -90,4 +95,4 @@
}
-?>
\ No newline at end of file
+?>
--- html/modules/Recommend_Us/index.php.old Thu Dec 19 20:00:45 2002
+++ html/modules/Recommend_Us/index.php Thu Dec 19 20:02:45 2002
@@ -45,6 +45,9 @@
function SendSite($yname, $ymail, $fname, $fmail) {
global $sitename, $slogan, $nukeurl, $module_name;
+ $fmail = removecrlf($fmail); # Security fix
+ $yname = removecrlf($yname);
+ $ymail = removecrlf($ymail);
$subject = ""._INTSITE." $sitename";
$message = ""._HELLO." $fname:\n\n"._YOURFRIEND." $yname "._OURSITE." $sitename "._INTSENT."\n\n\n"._FSITENAME."
$sitename\n$slogan\n"._FSITEURL." $nukeurl\n";
mail($fmail, $subject, $message, "From: \"$yname\" <$ymail>\nX-Mailer: PHP/" . phpversion());
@@ -76,4 +79,4 @@
}
-?>
\ No newline at end of file
+?>
厂商补丁:
Francisco Burzi
---------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.phpnuke.org
浏览次数:4988
严重程度:0(网友投票)
绿盟科技给您安全的保障