Simple Machines Forum unset PHP指令BUG 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193660 漏洞类型 路径遍历
发布时间 2006-08-31 更新时间 2006-08-31
CVE编号 CVE-2006-4467 CNNVD-ID CNNVD-200608-521
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/83341
https://cxsecurity.com/issue/WLB-2006090003
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-521
|漏洞详情
SimpleMachinesForum(SMF)1.1RC3之前的1.1RCx版本,及1.0.8之前的1.0.x版本,当输入数据包含的数值型参数的值与字母数字型参数的哈希值相匹配时,没有正确释放变量,远程攻击者可利用此漏洞实现目录遍历攻击,以读取任意本地文件,锁定主题,并且有可能产生其它安全影响。注意:此漏洞是由unsetPHP指令中的一个bug引起的,并且PHP中应该提供了适当的修复程序,但这一说法目前还存在争议;如果是这样,则不应将其视为SimpleMachinesForum中的漏洞。
|漏洞EXP
---------Simple Machines Forum <=1.1RC2 unset() vulnerabilities-----------------

------------------------------------------------------------------------
--------

software site: http://www.simplemachines.org/

the recently discovered Zend_Hash_Del_Key_Or_Index PHP vulnerability allows

users to include arbitrary files from local resources (on Windows boxes)

and to lock topics, poc for both:

http://retrogod.altervista.org/smf_11rc2_local_incl.html

http://retrogod.altervista.org/smf_11rc2_lock.html

an interesting reading:

http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerabilit
y.html

SMF team released 1.0.8 and 1.1.rc3 versions to patch theese issues

------------------------------------------------------------------------
--------

rgod

site: http://retrogod.altervista.org

mail: rgod at autistici.org

------------------------------------------------------------------------
--------
|受影响的产品
Simple Machines Simple Machines Forum 1.1 RC2 Simple Machines Simple Machines Forum 1.0.7
|参考资料

来源:www.simplemachines.org
链接:http://www.simplemachines.org/community/index.php?topic=107135.0
来源:www.simplemachines.org
链接:http://www.simplemachines.org/community/index.php?topic=107112.0
来源:BUGTRAQ
名称:20060822SimpleMachinesForum<=1.1RC2unset()vulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/444053/100/100/threaded
来源:MISC
链接:http://retrogod.altervista.org/smf_11rc2_lock.html
来源:MISC
链接:http://retrogod.altervista.org/smf_11rc2_local_incl.html
来源:SREASON
名称:1475
链接:http://securityreason.com/securityalert/1475