Shoutpro include.php 绕过IP禁止限制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191583 漏洞类型 权限许可和访问控制
发布时间 2007-02-23 更新时间 2007-02-23
CVE编号 CVE-2006-7047 CNNVD-ID CNNVD-200702-461
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/86844
https://cxsecurity.com/issue/WLB-2007030001
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-461
|漏洞详情
Shoutpro1.0版本中的include.php允许远程攻击者通过路径参数中的URL,绕过IP禁止限制。该路径参数会指向一个预备的bannedips.php文件。
|漏洞EXP
# if ($path){
# $ips = file("$path/lists/bannedips.php");
# } else {
# $ips = file("lists/bannedips.php");
# }
# if (in_array($REMOTE_ADDR,$ips)) {
# echo($bannedmessage);
# die;

There might be a terminology problem here.

I don't see how this can be used to execute code.  Yes, the file()
call could be used to access a file that the attacker can control, but
the only use of the $ips array is in checking for banned addresses.
The use of file() is not the same as include() or require().

So - attackers could use this to bypass a ban against their IP address
because they can control the ban file, but that's not the same as
"inclusion."

- Steve
|受影响的产品
ShoutPro ShoutPro 1.0
|参考资料

来源:XF
名称:shoutpro-include-file-include(27111)
链接:http://xforce.iss.net/xforce/xfdb/27111
来源:BUGTRAQ
名称:20060613Re:Shoutpro1.0Version-RemoteFileIncludeVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/436997/30/4410/threaded
来源:BUGTRAQ
名称:20060613Shoutpro1.0Version-RemoteFileIncludeVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/436975/30/4440/threaded
来源:SREASON
名称:2303
链接:http://securityreason.com/securityalert/2303