logahead UNU '_widged.php' 未限制文件上载漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111854 漏洞类型 代码注入
发布时间 2006-12-25 更新时间 2006-12-31
CVE编号 CVE-2006-6887 CNNVD-ID CNNVD-200612-729
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/3014
https://www.securityfocus.com/bid/87114
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-729
|漏洞详情
logaheadUNU存在未限制文件上载漏洞,远程攻击者可以通过和plugins/widged/_widged.php(WidgEd插件)有关的未明向量来上载和执行任意PHP代码。
|漏洞EXP
-=[--------------------ADVISORY-------------------]=-
                                             
              logahead UNU edition 1.0    
                                              
  Author: CorryL    [corryl80@gmail.com]  
-=[-----------------------------------------------]=-


-=[+] Application:    logahead UNU edition
-=[+] Version:        1.0
-=[+] Vendor's URL:   http://typo.i24.cc/logahead/
-=[+] Platform:       Windows\Linux\Unix
-=[+] Bug type:       Remote Upload file & Code execution
-=[+] Exploitation:   Remote
-=[-]
-=[+] Author:          CorryL  ~ corryl80[at]gmail[dot]com ~
-=[+] Reference:       www.x0n3-h4ck.org
-=[+] Virtual Office:  http://www.kasamba.com/CorryL
-=[+] Irc Chan:        irc.darksin.net #x0n3-h4ck       
-=[+] Special Thanks: Merry Christmas for All, Thanks for all  #x0n3-h4ck member,
                                  un saluto a tutti gli avolesi nel mondo.

..::[ Descriprion ]::..

You might already have heard of logahead - the ajaxified blogging engine using PHP4 and mySQL database by James from the UK.
The UNU edition is based on the logahead beta 1.0 code published under GNU/GPL license. While the original version sticks to 
the basic functions of a blog (mainly publishing posts and receiving comments), the UNU edition is more enchanted and offers 
a number of additional features.


..::[ Bug ]::..

My give searches the form Widgets of this blog is results vulnerability, in fact
a remote attaker is able to upload also a file php, and to perform arbitrary commands
inside the server victim.

..::[ Proof Of Concept ]::..

http://www.server-victim/extras/plugins/widged/_widged.php?A=U&D=


..::[ Disclousure Timeline ]::..

 [25/12/2006] - Public disclousure

# milw0rm.com [2006-12-25]
|受影响的产品
logahead Logahead Unu 1.0
|参考资料

来源:SECUNIA
名称:23470
链接:http://secunia.com/advisories/23470