CVE-2001-0383
CVSS5.0
发布时间 :2001-06-18 00:00:00
修订时间 :2008-09-05 16:23:58
NMCOE    

[原文]banners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication.


[CNNVD]PHP Nuke远程ad横幅URL改变漏洞(CNNVD-200106-087)

        PHP-Nuke 4.4版本及之前版本的banners.php存在漏洞。远程攻击者可以通过直接调用Change操作来修改横幅ad URL,该过程不需要认证。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0383
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0383
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-087
(官方数据源) CNNVD

- 其它链接及资源

http://phpnuke.org/download.php?dcategory=Fixes
(UNKNOWN)  CONFIRM  http://phpnuke.org/download.php?dcategory=Fixes
http://archives.neohapsis.com/archives/bugtraq/2001-04/0017.html
(VENDOR_ADVISORY)  BUGTRAQ  20010401 Php-nuke exploit...
http://xforce.iss.net/static/6342.php
(UNKNOWN)  XF  php-nuke-url-redirect(6342)
http://www.securityfocus.com/bid/2544
(UNKNOWN)  BID  2544

- 漏洞信息

PHP Nuke远程ad横幅URL改变漏洞
中危 输入验证
2001-06-18 00:00:00 2005-05-02 00:00:00
远程  
        PHP-Nuke 4.4版本及之前版本的banners.php存在漏洞。远程攻击者可以通过直接调用Change操作来修改横幅ad URL,该过程不需要认证。

- 公告与补丁

        A fix is available (since 8/03/2001)
        http://phpnuke.org/download.php?dcategory=Fixes
        Francisco Burzi PHP-Nuke 1.0
        
        Francisco Burzi PHP-Nuke 2.5
        
        Francisco Burzi PHP-Nuke 3.0
        
        Francisco Burzi PHP-Nuke 4.0
        
        Francisco Burzi PHP-Nuke 4.3
        
        Francisco Burzi PHP-Nuke 4.4
        

- 漏洞信息 (20729)

PHP Nuke 1.0/2.5/3.0/4.x Remote Ad Banner URL Change Vulnerability (EDBID:20729)
php webapps
2001-04-02 Verified
0 Juan Diego
N/A [点击下载]
source: http://www.securityfocus.com/bid/2544/info

PHP-Nuke is a website creation/maintainence tool written in PHP3.

A PHP-Nuke feature supporting cycling ad banners is subject to interference from a remote user.

A querystring can be submitted to an unpatched server which allows the remote user to specify a new destination URL to be opened in a visitor's browser upon clicking a PHP-nuke site's ad banner.

By changing the click-through destination of a banner ad, an attacker could interfere with the target's ad-based revenue generation.

To change the url of the first banner you should enter in your browser

http://target/banners.php?op=Change&bid=bannerid&url=http://where.to

if we want to change the banner number 1 to redir to

www.you_are_redir

we write

http://www.example.com/banners.php?op=Change&bid=1&url=http://you.are.redir

(where www.example.com is the server running php-nuke) 		

- 漏洞信息

1781
PHP-Nuke banners.php Ad Banner URL Modification
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-04-02 Unknow
2001-04-02 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站