Vulnerabilities > CVE-2009-1283 - Cryptographic Issues vulnerability in Glfusion
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
glFusion before 1.1.3 performs authentication with a user-provided password hash instead of a password, which allows remote attackers to gain privileges by obtaining the hash and using it in the glf_password cookie, aka "User Masquerading." NOTE: this can be leveraged with a separate SQL injection vulnerability to steal hashes.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 9 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Exploit-Db
| description | glFusion <= 1.1.2 COM_applyFilter()/cookies Blind SQL Injection Exploit. CVE-2009-1281,CVE-2009-1282,CVE-2009-1283. Webapps exploit for php platform |
| file | exploits/php/webapps/8347.php |
| id | EDB-ID:8347 |
| last seen | 2016-02-01 |
| modified | 2009-04-03 |
| platform | php |
| port | |
| published | 2009-04-03 |
| reporter | Nine:Situations:Group |
| source | https://www.exploit-db.com/download/8347/ |
| title | glFusion <= 1.1.2 COM_applyFilter/cookies Blind SQL Injection Exploit |
| type | webapps |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 34361 CVE(CAN) ID: CVE-2009-1282,CVE-2009-1283 glFusion是一个开源的内容管理系统。 glFusion的private/system/lib-session.php模块没有正确地过滤用户所提交的glf_session cookie参数,远程攻击者可以通过向服务器提交恶意请求执行SQL注入攻击。以下是/private/system/lib-session.php 的97-117行的有漏洞代码段: ... if (isset ($_COOKIE[$_CONF['cookie_session']])) { $sessid = COM_applyFilter ($_COOKIE[$_CONF['cookie_session']]); if ($_SESS_VERBOSE) { COM_errorLog("got $sessid as the session id from lib-sessions.php",1); } $userid = SESS_getUserIdFromSession($sessid, $_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']); if ($_SESS_VERBOSE) { COM_errorLog("Got $userid as User ID from the session ID",1); } if ($userid > 1) { // Check user status $status = SEC_checkUserStatus($userid); if (($status == USER_ACCOUNT_ACTIVE) || ($status == USER_ACCOUNT_AWAITING_ACTIVATION)) { $user_logged_in = 1; SESS_updateSessionTime($sessid, $_CONF['cookie_ip']); 在418-436行的SESS_updateSessionTime()函数中: ... function SESS_updateSessionTime($sessid, $md5_based=0) { global $_TABLES; $newtime = (string) time(); if ($md5_based == 1) { $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (md5_sess_id = '$sessid')"; } else { $sql = "UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE (sess_id = $sessid)"; //<-------- SQL INJECTION HERE } $result = DB_query($sql); return 1; } ... 如果在通用配置中会话id不是md5()哈希(默认配置),就可以注入SQL语句。 在SESS_getUserIdFromSession()函数的查询中: ... if ($md5_based == 1) { $sql = "SELECT uid FROM {$_TABLES['sessions']} WHERE " . "(md5_sess_id = '$sessid') AND (start_time > $mintime) AND (remote_ip = '$remote_ip')"; } else { $sql = "SELECT uid FROM {$_TABLES['sessions']} WHERE " . "(sess_id = '$sessid') AND (start_time > $mintime) AND (remote_ip = '$remote_ip')"; } ... 这个查询将所提供的sessid值与从会话表中的sessid值(整数)做了比较,而在比较时仅考虑了字符串的第一个整数值,因此函数返回了有效的userid。如果知道了表格中已有的sessid的话,就可以如下在cookie中注入查询: Cookie: glf_session=12345678 [SQL HERE]; glfusion=9999999999; glFusion <= 1.1.2 glFusion -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.glfusion.org/filemgmt/visit.php?lid=275 target=_blank rel=external nofollow>http://www.glfusion.org/filemgmt/visit.php?lid=275</a> |
| id | SSV:5032 |
| last seen | 2017-11-19 |
| modified | 2009-04-11 |
| published | 2009-04-11 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-5032 |
| title | glFusion lib-session.php模块SQL注入漏洞 |