Logahead UNU '_widged.php'认证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192338 漏洞类型 授权问题
发布时间 2006-12-27 更新时间 2007-01-05
CVE编号 CVE-2006-6783 CNNVD-ID CNNVD-200612-581
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006120139
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-581
|漏洞详情
Logahead是一款开源的blog软件,具有tagging、拖放等功能。Logahead的extras/plugins/widged/_widged.php脚本中存在认证绕过漏洞,未经认证的攻击者向服务器上传文件。此外,该脚本还没有验证上传文件的扩展名,攻击者上传有任意扩展名(如.php)的文件并在服务器上执行任意PHP代码。
|漏洞EXP
-=[--------------------ADVISORY-------------------]=-
                                              
              logahead UNU edition 1.0     
                                               
  Author: CorryL    [corryl80 (at) gmail (dot) com [email concealed]]   
-=[-----------------------------------------------]=-

-=[+] Application:    logahead UNU edition
-=[+] Version:        1.0
-=[+] Vendor's URL:   http://typo.i24.cc/logahead/ 
-=[+] Platform:       WindowsLinuxUnix
-=[+] Bug type:       Remote Upload file & Code execution
-=[+] Exploitation:   Remote
-=[-]
-=[+] Author:          CorryL  ~ corryl80[at]gmail[dot]com ~
-=[+] Reference:       www.x0n3-h4ck.org
-=[+] Virtual Office:  http://www.kasamba.com/CorryL
-=[+] Irc Chan:        irc.darksin.net #x0n3-h4ck        
-=[+] Special Thanks: Merry Christmas for All, Thanks for all  #x0n3-h4ck member, 
                                  un saluto a tutti gli avolesi nel mondo.

..::[ Descriprion ]::..

You might already have heard of logahead - the ajaxified blogging engine using PHP4 and mySQL database by James from the UK.
The UNU edition is based on the logahead beta 1.0 code published under GNU/GPL license. While the original version sticks to the basic functions of a blog (mainly publishing posts and receiving comments), the UNU edition is more enchanted and offers a number of additional features.

..::[ Bug ]::..

My give searches the form Widgets of this blog is results vulnerability, in fact
a remote attaker is able to upload also a file php, and to perform arbitrary commands
inside the server victim.

..::[ Proof Of Concept ]::..

http://www.server-victim/extras/plugins/widged/_widged.php?A=U&D=

..::[ Disclousure Timeline ]::..

[25/12/2006] - Public disclousure
|参考资料

来源:BID
名称:21743
链接:http://www.securityfocus.com/bid/21743
来源:BUGTRAQ
名称:20061225logaheadUNUedition1.0RemoteFileUpload&codeexecution
链接:http://www.securityfocus.com/archive/1/archive/1/455307/100/0/threaded
来源:VUPEN
名称:ADV-2006-5184
链接:http://www.frsirt.com/english/advisories/2006/5184
来源:SECTRACK
名称:1017444
链接:http://securitytracker.com/id?1017444
来源:SECUNIA
名称:23470
链接:http://secunia.com/advisories/23470
来源:logahead.com
链接:http://logahead.com/forums/comments.php?DiscussionID=216
来源:SREASON
名称:2071
链接:http://securityreason.com/securityalert/2071