VBulletin index.php远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107952 漏洞类型 输入验证
发布时间 2004-05-17 更新时间 2006-09-20
CVE编号 CVE-2004-2288 CNNVD-ID CNNVD-200412-147
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/24124
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-147
|漏洞详情
vBulletin是一款基于WEB的论坛程序。vBulletin包含的'index.php'脚本对用户提交输入缺少充分过滤,远程攻击者可以利用这个漏洞以WEB进程权限在系统上执行任意命令。vBulletin包含的'index.php'脚本对'loc'参数缺少充分过滤,攻击者可以指定远程服务器上的恶意文件作为包含文件,可导致以WEB进程权限执行恶意文件中的任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/10362/info

A weakness has been reported to exist in the VBulletin software that may allow an attacker to spoof parts of the VBulletin interface. The issue exists due to improper validation of user-supplied data.

Remote attackers may potentially exploit this issue, by convincing a VBulletin administrator to follow a specially crafted URI. The URI would contain a URI to a remote attacker owned HTML page as a value for the affected parameter of the 'index.php' script. If the administrator were to follow this link, part of the VBulletin user interface may be spoofed by the attacker.

http://forums.example.com/admincp/index.php?loc=http://www.example.com
|参考资料

来源:BID
名称:10362
链接:http://www.securityfocus.com/bid/10362
来源:www.infosecurity.org.cn
链接:http://www.infosecurity.org.cn/article/hacker/exploit/16557.html
来源:NSFOCUS
名称:6469
链接:http://www.nsfocus.net/vulndb/6469