Sage内容管理系统路径泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107214 漏洞类型 其他
发布时间 2003-02-20 更新时间 2006-01-17
CVE编号 CVE-2003-1242 CNNVD-ID CNNVD-200312-334
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/22269
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-334
|漏洞详情
Sage是一款由PHP编写的内容管理系统。Sage不正确处理不存在的模块请求,远程攻击者可以利用这个漏洞获得Sage安装目录路径信息。攻击者提交不存在的模块名请求,可导致系统返回包含Sage安装目录路径的敏感信息,攻击者可以根据这些信息进一步对系统进行攻击。
|漏洞EXP
source: http://www.securityfocus.com/bid/6893/info

Sage Content Management System contains a path disclosure vulnerability. When a request is made for a module that does not exist, the returned error message contains the full path to the Sage installation directory.

Disclosed path information could be used to launch further attacks against the system. 

http://hostname/?mod=some_thing&op=browse

http://hostname/?mod=node&nid=some_thing&op=view
|参考资料

来源:BID
名称:6893
链接:http://www.securityfocus.com/bid/6893
来源:XF
名称:sage-module-path-disclosure(11372)
链接:http://www.iss.net/security_center/static/11372.php
来源:BUGTRAQ
名称:20030219XSSandPathDisclosureinSage
链接:http://archives.neohapsis.com/archives/bugtraq/2003-02/0236.html
来源:NSFOCUS
名称:4437
链接:http://www.nsfocus.net/vulndb/4437