Humhub ListController.php SQL注入漏洞
CVE-ID:CVE-2014-9528
发布日期：2015-01-08
更新日期：2015-01-09
受影响系统：
Humhub Humhub <= 0.10.0-rc.1
详细信息：

Humhub是开源的社交网络工具。

 

Humhub 0.10.0-rc.1及之前版本，protected/modules_core/notification/controllers/ListController.php的actionIndex函数存在SQL注入漏洞，远程攻击者通过index.php的from参数，利用此漏洞可执行任意sql命令。

来源：
Jos Wetzels
参考信息：
http://xforce.iss.net/xforce/xfdb/99272
测试方法：
警 告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！# Exploit Title: Humhub <= 0.10.0-rc.1 SQL injection vulnerability

# Date: 08-12-2014

# Exploit Author: Jos Wetzels, Emiel Florijn

# Vendor Homepage: https://www.humhub.org

# Software Link: https://github.com/humhub/humhub/releases

# Version: <= 0.10.0-rc.1

 

The Humhub [1] social networking kit versions 0.10.0-rc.1 and prior suffer from an SQL injection vulnerability, which has now been resolved in cooperation with the vendor [2], in its notification listing functionality allowing an attacker to obtain backend database access. In the actionIndex() function located in "/protected/modules_core/notification/controllers/ListController.php" [3] a check is performed on the unsanitized $lastEntryId variable (which is fetched from the \'from\' GET parameter) to see if it is greater than 0. However, since PHP uses type-unstrict comparisons and $lastEntryId isn\'t guaranteed to be an integer, this allows an attacker to prefix their string of choice with any number of integers (so that $lastEntryId gets treated as an integer during the comparison) such that the comparison evaluates to true and $criteria->condition is injected with the otherwise unsanitized $lastEntryId, which can be any SQL injection.

 

Proof of Concept: Performing the following request

 

index.php?r=notification/list/index&from=999) AND (CASE WHEN 0x30<(SELECT substring(password,1,1) FROM user_password WHERE id = 1) THEN 1 ELSE 0 END) AND (1=1

 

Allows an attacker to perform a binary search SQL injection. In addition, the SQL error handling of the function in question allows the attacker to perform a reflected Cross-Site Scripting attack.

 

Proof of Concept: Directing any user to the following link

 

index.php/?r=notification/list/index&from=999) AND ("<iframe src = \'index.php/?r=user/auth/logout\'>"=""

 

Will perform a CSRF attack against the target user.

 

It should be noted that the attack requires regular user-level authentication to the humhub system.

 

[*] References:

1. http://humhub.org

2. https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4

3. https://github.com/humhub/humhub/blob/e406538ac44f992774e1abd3748ee0a65469829d/protected/modules_core/notification/controllers/ListController.php#L46
解决办法：
厂商补丁：

Humhub
------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

 

https://github.com/humhub/humhub/releases