CVE-2004-0490
CVSS7.2
发布时间 :2004-08-18 00:00:00
修订时间 :2008-09-05 16:38:33
NMCOES    

[原文]cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP code as other users via a URL that references the attacker's script after the user's script, which executes the attacker's script with the user's privileges, a different vulnerability than CVE-2004-0529.


[CNNVD]cPanel的本地权限提升漏洞(CNNVD-200408-200)

        cPanel在用mod_phpsuexec编译Apache 1.3.29和PHP时候不设置--enable-discard-path选项,并导致php去使用SCRIPT_FILENAME变量而不是PATH_TRANSLATED变量来发现和执行脚本。本地用户可以和其他用户一样通过在用户脚本之后引用攻击者脚本的URL执行PHP代码,该漏洞使用用户权限来执行攻击者脚本,该漏洞不同于CVE-2004-0529。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:cpanel:cpanel:9.1
cpe:/a:cpanel:cpanel:6.4.1
cpe:/a:cpanel:cpanel:5.3
cpe:/a:cpanel:cpanel:6.2
cpe:/a:cpanel:cpanel:8.0
cpe:/a:cpanel:cpanel:6.4.2_stable_48
cpe:/a:cpanel:cpanel:6.4
cpe:/a:cpanel:cpanel:9.1.0_r85
cpe:/a:cpanel:cpanel:6.0
cpe:/a:cpanel:cpanel:6.4.2
cpe:/a:cpanel:cpanel:5.0
cpe:/a:cpanel:cpanel:7.0
cpe:/a:cpanel:cpanel:9.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0490
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0490
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-200
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/16239
(VENDOR_ADVISORY)  XF  cpanel-modphpsuexec-execute-commands(16239)
http://www.securityfocus.com/bid/10407
(VENDOR_ADVISORY)  BID  10407
http://www.securityfocus.com/archive/1/364112
(UNKNOWN)  BUGTRAQ  20040524 cPanel mod_phpsuexec Vulnerability
http://www.securiteam.com/tools/5TP0N15CUA.html
(VENDOR_ADVISORY)  MISC  http://www.securiteam.com/tools/5TP0N15CUA.html
http://www.a-squad.com/audit/explain10.html
(UNKNOWN)  MISC  http://www.a-squad.com/audit/explain10.html
http://bugzilla.cpanel.net/show_bug.cgi?id=664
(UNKNOWN)  CONFIRM  http://bugzilla.cpanel.net/show_bug.cgi?id=664
http://bugzilla.cpanel.net/show_bug.cgi?id=283
(UNKNOWN)  MISC  http://bugzilla.cpanel.net/show_bug.cgi?id=283

- 漏洞信息

cPanel的本地权限提升漏洞
高危 设计错误
2004-08-18 00:00:00 2005-10-28 00:00:00
本地  
        cPanel在用mod_phpsuexec编译Apache 1.3.29和PHP时候不设置--enable-discard-path选项,并导致php去使用SCRIPT_FILENAME变量而不是PATH_TRANSLATED变量来发现和执行脚本。本地用户可以和其他用户一样通过在用户脚本之后引用攻击者脚本的URL执行PHP代码,该漏洞使用用户权限来执行攻击者脚本,该漏洞不同于CVE-2004-0529。

- 公告与补丁

        It is reported that cPanel has addressed this issue. Customers are advised to contact the vendor for further details regarding obtaining and applying fixes. It is reported that only Apache configurations compiled before April 15, 2004 are vulnerable.

- 漏洞信息 (24141)

cPanel 5-9 Local Privilege Escalation Vulnerability (EDBID:24141)
linux local
2004-05-24 Verified
0 Rob Brown
N/A [点击下载]
source: http://www.securityfocus.com/bid/10407/info

cPanel is reported prone to a privilege escalation vulnerability. It is reported that the options used by cPanel to compile Apache 1.3.29 and PHP using the mod_phpsuexec option are insecure. These settings will reportedly permit a local attacker to execute arbitrary code as any user who possesses a PHP file that is published to the Apache web server. 

PATH_TRANSLATED=/gone.php
SCRIPT_FILENAME=/usr/local/cpanel/base/frontend/default/phpinfo.php
/usr/bin/php
If the above results in a "No input file specified." message then the system is vulnerable.		

- 漏洞信息

6418
cPanel mod_phpsuexec Arbitrary Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

cPan contains a flaw that may allow a remote attacker to execute arbitrary code. The problem is that cPanel compiles Apache and PHP with the mod_phpsuexec option. It is possible that the flaw may allow arbitrary code execution with the privileges of any other user which owns a web accessible php file, resulting in a loss of integrity.

- 时间线

2004-05-23 Unknow
2004-05-23 Unknow

- 解决方案

Upgrade to version 9.2.0 (build 20) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

cPanel Local Privilege Escalation Vulnerability
Design Error 10407
No Yes
2004-05-24 12:00:00 2009-07-12 05:16:00
Discovery of this vulnerability is credited to Rob Brown <rob@asquad.com>.

- 受影响的程序版本

cPanel cPanel 9.1 .0-R85
cPanel cPanel 9.1
cPanel cPanel 9.0
cPanel cPanel 8.0
cPanel cPanel 7.0
cPanel cPanel 6.4.2 .STABLE_48
cPanel cPanel 6.4.2
cPanel cPanel 6.4.1
cPanel cPanel 6.4
cPanel cPanel 6.2
cPanel cPanel 6.0
cPanel cPanel 5.3
cPanel cPanel 5.0

- 漏洞讨论

cPanel is reported prone to a privilege escalation vulnerability. It is reported that the options used by cPanel to compile Apache 1.3.29 and PHP using the mod_phpsuexec option are insecure. These settings will reportedly permit a local attacker to execute arbitrary code as any user who possesses a PHP file that is published to the Apache web server.

- 漏洞利用

The following proof of concept is available:
PATH_TRANSLATED=/gone.php
SCRIPT_FILENAME=/usr/local/cpanel/base/frontend/default/phpinfo.php
/usr/bin/php
If the above results in a "No input file specified." message then the system is vulnerable.

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

It is reported that cPanel has addressed this issue. Customers are advised to contact the vendor for further details regarding obtaining and applying fixes. It is reported that only Apache configurations compiled before April 15, 2004 are vulnerable.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站