PsychoStats 'Server.PHP' 路径泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112972 漏洞类型 信息泄露
发布时间 2007-05-17 更新时间 2007-06-27
CVE编号 CVE-2007-2780 CNNVD-ID CNNVD-200705-410
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/30051
https://www.securityfocus.com/bid/24039
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-410
|漏洞详情
PsychoStats允许远程攻击者借助对一个包含有丢失的或无效的newtheme参数的server.php文件的请求,获得敏感信息。它会在错误信息中显示路径。
|漏洞EXP
source: http://www.securityfocus.com/bid/24039/info

PsychoStats is prone to a path-disclosure issue when invalid data is submitted.

Exploiting this issue can allow an attacker to access sensitive data that may be used to launch further attacks against a vulnerable computer.

PsychoStats 3.0.6b and prior versions are vulnerable to this issue. 

http://www.example.com/[path]/server.php?newcss=styles.css&newtheme=%00
|受影响的产品
PsychoStats PsychoStats 2.3 beta PsychoStats PsychoStats 2.2.4 beta PsychoStats PsychoStats 2.2.2 beta PsychoStats PsychoStats 2.2.1 beta PsychoStats PsychoStats 2.2 beta Psyc
|参考资料

来源:BID
名称:24039
链接:http://www.securityfocus.com/bid/24039
来源:FULLDISC
名称:20070518Re:PsychoStats3.0.6bandprior
链接:http://marc.info/?l=full-disclosure&m=117948032428148&w=2
来源:FULLDISC
名称:20070518PsychoStats3.0.6bandprior
链接:http://marc.info/?l=full-disclosure&m=117947165628273&w=2
来源:XF
名称:psychostats-newtheme-information-disclosure(34366)
链接:http://xforce.iss.net/xforce/xfdb/34366