PHPix Photo Album目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106033 漏洞类型 路径遍历
发布时间 2000-10-07 更新时间 2005-05-02
CVE编号 CVE-2000-0919 CNNVD-ID CNNVD-200012-164
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20278
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-164
|漏洞详情
PHPixPhotoAlbum1.0.2以及之前版本存在目录遍历漏洞。远程攻击者借助..(点点)攻击读取任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/1773/info

PHPix is a web-based photo-album system written in PHP. It is vulnerable to an attack that allows a malicious remote user to view arbitrary files on the target webserver with the privileges of the webserver. The problem is that "../" character sequences can be supplied by the user in an http variable that is used to reference a file on the webservers filesystem. As a result, the attacker can construct a path relative to the current working directory of the webserver using ".."'s and then the target filename/path to read any readable (to the uid of the httpd process) file on the filesystem. The information gained may make it easier to compromise the system in other ways.

Example:

http://target.com/Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&dispsize=640&start=0

The above line if given will output all the directories that are nested within /etc
directory. Other more sinister content can be revealed from there.
|参考资料

来源:XF
名称:phpix-dir-traversal
链接:http://xforce.iss.net/static/5331.php
来源:BID
名称:1773
链接:http://www.securityfocus.com/bid/1773
来源:OSVDB
名称:472
链接:http://www.osvdb.org/472
来源:BUGTRAQ
名称:20001007PHPixadvisory
链接:http://archives.neohapsis.com/archives/bugtraq/2000-10/0117.html