TUTOS执行任意代码且直接访问上传的代码漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107386 漏洞类型 未知
发布时间 2003-06-20 更新时间 2003-08-07
CVE编号 CVE-2003-0482 CNNVD-ID CNNVD-200308-035
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/22819
https://www.securityfocus.com/bid/82758
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200308-035
|漏洞详情
TUTOS1.1版本存在漏洞。远程攻击者通过上传使用file_new.php的代码,然后借助包含代码元数据库的请求直接访问上传的代码执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/8012/info

It has been reported that Tutos does not properly handle input to the file_new script. Because of this, an attacker may be able to upload arbitrary files to a vulnerable site.

We can upload via http://www.example.com/tutos/file/file_new.php?link_id=1065

The path is http://www.example.com/tutos/repository/[project number]/[file
number]/FILE
|受影响的产品
Gero Kohnert Tutos 1.1
|参考资料

来源:BUGTRAQ
名称:20030623[KSA-001]MultiplevulnerabilitiesinTutos
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105638743109781&w=2
来源:BUGTRAQ
名称:20030623[KSA-001]MultiplevulnerabilitiesinTutos
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105638743109781&w=2