CVE-2002-0483
CVSS5.0
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:28:08
NMCOES    

[原文]index.php for PHP-Nuke 5.4 and earlier allows remote attackers to determine the physical pathname of the web server when the file parameter is set to index.php, which triggers an error message that leaks the pathname.


[CNNVD]PHP-Nuke错误信息导致WEBROOT路径信息泄露漏洞(CNNVD-200208-235)

        
        PHP-Nuke是一款PHP语言编写流行的系统构建程序,允许用户建立帐户和组织网站内容。可以运行在Unix和Linux操作系统下,也可运行在Microsoft Windows操作系统下。
        PHP-Nuke由于对部分错误WEB请求处理存在问题可导致绝对路径泄露。
        攻击者可以对PHP-Nuke系统中的index.php脚本提交不正常的参数请求,可导致相关绝对路径泄露给攻击者。
        攻击者可以通过这些信息,对目标系统进行进一步的攻击。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:francisco_burzi:php-nuke:5.0.1
cpe:/a:francisco_burzi:php-nuke:5.1
cpe:/a:francisco_burzi:php-nuke:5.0
cpe:/a:francisco_burzi:php-nuke:5.2a
cpe:/a:francisco_burzi:php-nuke:5.2
cpe:/a:francisco_burzi:php-nuke:5.4
cpe:/a:francisco_burzi:php-nuke:5.3.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0483
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0483
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-235
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4333
(VENDOR_ADVISORY)  BID  4333
http://www.iss.net/security_center/static/8618.php
(VENDOR_ADVISORY)  XF  phpnuke-index-path-disclosure(8618)
http://online.securityfocus.com/archive/1/263337
(VENDOR_ADVISORY)  BUGTRAQ  20020320 Fw: PHPNuke 5.4 Path Disclosure Vulnerability?

- 漏洞信息

PHP-Nuke错误信息导致WEBROOT路径信息泄露漏洞
中危 配置错误
2002-08-12 00:00:00 2005-10-20 00:00:00
远程  
        
        PHP-Nuke是一款PHP语言编写流行的系统构建程序,允许用户建立帐户和组织网站内容。可以运行在Unix和Linux操作系统下,也可运行在Microsoft Windows操作系统下。
        PHP-Nuke由于对部分错误WEB请求处理存在问题可导致绝对路径泄露。
        攻击者可以对PHP-Nuke系统中的index.php脚本提交不正常的参数请求,可导致相关绝对路径泄露给攻击者。
        攻击者可以通过这些信息,对目标系统进行进一步的攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在php.ini中设置"display_errors"为off,或者在.htaccess中设置"php_flag display_errors off"
        * 使用PHP错误处理函数来关闭错误信息的报告。
        厂商补丁:
        Francisco Burzi
        ---------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.phpnuke.org

- 漏洞信息 (21349)

PHP Nuke 5.x Error Message Web Root Disclosure Vulnerability (EDBID:21349)
php webapps
2002-03-21 Verified
0 godminus
N/A [点击下载]
source: http://www.securityfocus.com/bid/4333/info

PHP-Nuke is a popular web based Portal system. It allows users to create accounts and contribute content to the site.

A vulnerability has been reported in some versions of PHP-Nuke. Reportedly, a maliciously constructed HTTP request will cause the index.php script to return an error message which includes the full path of the script.

It has been suggested that this is the result of an insecure server configuration. 

http://www.site.com/index.php?file=index.php 		

- 漏洞信息

6243
PHP-Nuke index.php file Variable Path Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

PHPNuke contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when sending a specially crafted URL request with invalid arguments, which will disclose the path of the web root directory, resulting in a loss of confidentiality.

- 时间线

2002-03-20 Unknow
2002-03-20 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

PHP Nuke Error Message Web Root Disclosure Vulnerability
Configuration Error 4333
Yes No
2002-03-21 12:00:00 2009-07-11 11:56:00
Discovered by godminus <godminus@owns.com>.

- 受影响的程序版本

Francisco Burzi PHP-Nuke 5.4
Francisco Burzi PHP-Nuke 5.3.1
Francisco Burzi PHP-Nuke 5.2 a
Francisco Burzi PHP-Nuke 5.2
Francisco Burzi PHP-Nuke 5.1
Francisco Burzi PHP-Nuke 5.0.1
Francisco Burzi PHP-Nuke 5.0

- 漏洞讨论

PHP-Nuke is a popular web based Portal system. It allows users to create accounts and contribute content to the site.

A vulnerability has been reported in some versions of PHP-Nuke. Reportedly, a maliciously constructed HTTP request will cause the index.php script to return an error message which includes the full path of the script.

It has been suggested that this is the result of an insecure server configuration.

- 漏洞利用

The following example has been provided by godminus &lt;godminus@owns.com&gt;:

http://www.site.com/index.php?file=index.php

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站