php rrd浏览器目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191685 漏洞类型 路径遍历
发布时间 2007-02-14 更新时间 2007-02-14
CVE编号 CVE-2007-0929 CNNVD-ID CNNVD-200702-294
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/86597
https://cxsecurity.com/issue/WLB-2007020048
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-294
|漏洞详情
phprrd浏览器中存在目录遍历漏洞。远程攻击者可以借助p参数的".."序列,读取任意文件。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I - TITLE

Security advisory: Arbitrary file disclosure vulnerability in
php rrd browser (prb)

II - SUMMARY

Description: Arbitrary file disclosure vulnerability in
php rrd browser < 0.2.1

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),
http://www.devtarget.org

Date: February 11th, 2007

Severity: Medium

References: http://www.devtarget.org/prb-advisory-02-2007.txt

III - OVERVIEW

Quote from sourceforge.net: "Prb stands for php rrd browser, inspired by
rrdbrowse and cacti. A modular framework for creating rrd databases,
updating and graphing data, based on apache, php, mysql and rrdtool. It
will allow you to graph just about anything you like". More information
about the product can be found online at http://prb.sourceforge.net.

IV - DETAILS

Due to inproper input validation, the web application "php rrd browser"
(versions <0.2.1) is vulnerable to an arbitrary file disclosure
vulnerability. It allows an unauthenticated remote attacker to read any
file on the remote system if the user the webserver is running as has
permissions to do so. Thus an attacker is able to gain access
potentially sensitive information.

V - EXPLOIT CODE

The vulnerability is trivial to exploit and only requires specifying an
URL with a relative file path on the remote system such as

http://$target/prb/www/?p=../../../../../../../etc/passwd

As the input to the "p" parameter is not validated in any way accessing
this URL will expose the contents of /etc/passwd to a remote attacker.

VI - WORKAROUND/FIX

To address this problem, the author of prb (Guillaume Fontaine) has
released an updated version (0.2.1) of the software which is available
at http://prb.sourceforge.net. Hence all users of prb are asked to test
and install this version as soon as possible.

VII - DISCLOSURE TIMELINE

07. February 2007 - Notified vendor
10. Feburary 2007 - Patch released
11. February 2007 - Public disclosure
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFz0H9d8QFWG1Rza8RAncSAJwMe7l768sWSruW8xsHHexUD1vTYwCgoSnA
xP1J4Bg/qIlNr//YkVbPMhY=
=i7Q0
-----END PGP SIGNATURE-----
|受影响的产品
Guillaume Fontaine Php Rrd Browser 0.2
|参考资料

来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?group_id=176562&release_id=485414
来源:XF
名称:prb-url-file-disclosure(32425)
链接:http://xforce.iss.net/xforce/xfdb/32425
来源:BUGTRAQ
名称:20070211Arbitraryfiledisclosurevulnerabilityinphprrdbrowser<0.2.1(prb)
链接:http://www.securityfocus.com/archive/1/archive/1/459804/100/0/threaded
来源:OSVDB
名称:33693
链接:http://osvdb.org/33693
来源:VIM
名称:20070213true:[Full-disclosure]Arbitraryfiledisclosurevulnerabilityinphprrdbrowser<0.2.1(prb)
链接:http://attrition.org/pipermail/vim/2007-February/001307.html
来源:SREASON
名称:2245
链接:http://securityreason.com/securityalert/2245