CVE-2006-2842
CVSS7.5
发布时间 :2006-06-06 16:06:00
修订时间 :2011-03-07 21:37:07
NMCOS    

[原文]** DISPUTED ** PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable.


[CNNVD]Squirrelmail plugin.php PHP远程文件包含漏洞(CNNVD-200606-129)

        SquirrelMail是一个多功能的用PHP4实现的Webmail程序,可运行于Linux/Unix类操作系统下。 Squirrelmail 1.4.6版本的functions/plugin.php文件中存在文件包含漏洞。远程攻击者可借助插件数组参数中的URL执行任意PHP代码。
        相关代码如下: if (isset($plugins) & & is_array($plugins)) { foreach ($plugins as $name) { use_plugin($name); } ... function use_plugin ($name) { if (file_exists(SM_PATH . "plugins/$name/setup.php")) { include_once(SM_PATH . "plugins/$name/setup.php"); $function = "squirrelmail_plugin_init_$name"; if (function_exists($function)) { $function(); } } } .... 如果打开了register_globals功能的话,攻击者就可以控制$name变量,导致执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:squirrelmail:squirrelmail:1.4.3a
cpe:/a:squirrelmail:squirrelmail:1.4.3_r3
cpe:/a:squirrelmail:squirrelmail:1.2.6
cpe:/a:squirrelmail:squirrelmail:1.0.4
cpe:/a:squirrelmail:squirrelmail:1.2.1
cpe:/a:squirrelmail:squirrelmail:1.4.2
cpe:/a:squirrelmail:squirrelmail:1.4.6_rc1
cpe:/a:squirrelmail:squirrelmail:1.4.1
cpe:/a:squirrelmail:squirrelmail:1.4.4_rc1
cpe:/a:squirrelmail:squirrelmail:1.2.0
cpe:/a:squirrelmail:squirrelmail:1.4.3
cpe:/a:squirrelmail:squirrelmail:1.2.11
cpe:/a:squirrelmail:squirrelmail:1.2.7
cpe:/a:squirrelmail:squirrelmail:1.4
cpe:/a:squirrelmail:squirrelmail:1.2.10
cpe:/a:squirrelmail:squirrelmail:1.0.5
cpe:/a:squirrelmail:squirrelmail:1.4.4
cpe:/a:squirrelmail:squirrelmail:1.4.3_rc1
cpe:/a:squirrelmail:squirrelmail:1.2.4
cpe:/a:squirrelmail:squirrelmail:1.4.5
cpe:/a:squirrelmail:squirrelmail:1.2.5
cpe:/a:squirrelmail:squirrelmail:1.2.8
cpe:/a:squirrelmail:squirrelmail:1.4.0
cpe:/a:squirrelmail:squirrelmail:1.4.6
cpe:/a:squirrelmail:squirrelmail:1.2.2
cpe:/a:squirrelmail:squirrelmail:1.2.3
cpe:/a:squirrelmail:squirrelmail:1.2.9

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11670** DISPUTED ** PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is en...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2842
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2842
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-129
(官方数据源) CNNVD

- 其它链接及资源

http://www.squirrelmail.org/security/issue/2006-06-01
(PATCH)  CONFIRM  http://www.squirrelmail.org/security/issue/2006-06-01
http://squirrelmail.cvs.sourceforge.net/squirrelmail/squirrelmail/functions/global.php?r1=1.27.2.16&r2=1.27.2.17&view=patch&pathrev=SM-1_4-STABLE
(PATCH)  CONFIRM  http://squirrelmail.cvs.sourceforge.net/squirrelmail/squirrelmail/functions/global.php?r1=1.27.2.16&r2=1.27.2.17&view=patch&pathrev=SM-1_4-STABLE
http://secunia.com/advisories/20406
(VENDOR_ADVISORY)  SECUNIA  20406
http://www.vupen.com/english/advisories/2007/2732
(UNKNOWN)  VUPEN  ADV-2007-2732
http://www.vupen.com/english/advisories/2006/2101
(UNKNOWN)  VUPEN  ADV-2006-2101
http://www.securityfocus.com/bid/18231
(UNKNOWN)  BID  18231
http://www.securityfocus.com/archive/1/archive/1/435605/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060601 Squirrelmail local file inclusion
http://securitytracker.com/id?1016209
(UNKNOWN)  SECTRACK  1016209
http://www.securityfocus.com/bid/25159
(UNKNOWN)  BID  25159
http://www.redhat.com/support/errata/RHSA-2006-0547.html
(UNKNOWN)  REDHAT  RHSA-2006:0547
http://www.novell.com/linux/security/advisories/2006_17_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2006:017
http://www.mandriva.com/security/advisories?name=MDKSA-2006:101
(UNKNOWN)  MANDRIVA  MDKSA-2006:101
http://secunia.com/advisories/26235
(UNKNOWN)  SECUNIA  26235
http://secunia.com/advisories/21262
(UNKNOWN)  SECUNIA  21262
http://secunia.com/advisories/21159
(UNKNOWN)  SECUNIA  21159
http://secunia.com/advisories/20931
(UNKNOWN)  SECUNIA  20931
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
(UNKNOWN)  APPLE  APPLE-SA-2007-07-31
http://docs.info.apple.com/article.html?artnum=306172
(UNKNOWN)  CONFIRM  http://docs.info.apple.com/article.html?artnum=306172
ftp://patches.sgi.com/support/free/security/advisories/20060703-01-U.asc
(UNKNOWN)  SGI  20060703-01-P

- 漏洞信息

Squirrelmail plugin.php PHP远程文件包含漏洞
高危 输入验证
2006-06-06 00:00:00 2006-06-08 00:00:00
远程  
        SquirrelMail是一个多功能的用PHP4实现的Webmail程序,可运行于Linux/Unix类操作系统下。 Squirrelmail 1.4.6版本的functions/plugin.php文件中存在文件包含漏洞。远程攻击者可借助插件数组参数中的URL执行任意PHP代码。
        相关代码如下: if (isset($plugins) & & is_array($plugins)) { foreach ($plugins as $name) { use_plugin($name); } ... function use_plugin ($name) { if (file_exists(SM_PATH . "plugins/$name/setup.php")) { include_once(SM_PATH . "plugins/$name/setup.php"); $function = "squirrelmail_plugin_init_$name"; if (function_exists($function)) { $function(); } } } .... 如果打开了register_globals功能的话,攻击者就可以控制$name变量,导致执行任意代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.squirrelmail.org

- 漏洞信息

25973
SquirrelMail functions/plugin.php plugins[] Parameter Local File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Third-party Disputed

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-31 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Squirrelmail Redirect.PHP Local File Include Vulnerability
Input Validation Error 18231
Yes No
2006-06-02 12:00:00 2007-08-01 11:35:00
brokejunker@yahoo.com is credited with the discovery of this vulnerability.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 10
SuSE SUSE Linux Enterprise Desktop 10
SquirrelMail SquirrelMail 1.4.8
SquirrelMail SquirrelMail 1.4.7
SquirrelMail SquirrelMail 1.4.6 -rc1
SquirrelMail SquirrelMail 1.4.6 -cvs
SquirrelMail SquirrelMail 1.4.6
SquirrelMail SquirrelMail 1.4.5
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 3.0
SquirrelMail SquirrelMail 1.4.4 RC1
SquirrelMail SquirrelMail 1.4.4
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Debian Linux 3.1
+ Debian Linux 3.1
+ Gentoo Linux
+ Gentoo Linux
+ Gentoo Linux
SquirrelMail SquirrelMail 1.4.3 RC1
SquirrelMail SquirrelMail 1.4.3 r3
+ Gentoo Linux
SquirrelMail SquirrelMail 1.4.3 a
+ Conectiva Linux 9.0
+ Red Hat Fedora Core3
+ Red Hat Fedora Core3
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
+ Red Hat Fedora Core2
SquirrelMail SquirrelMail 1.4.3
SquirrelMail SquirrelMail 1.4.2
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 3.0
+ Red Hat Fedora Core2
+ Red Hat Fedora Core2
+ Red Hat Fedora Core2
SquirrelMail SquirrelMail 1.4.1
SquirrelMail SquirrelMail 1.4 RC1
SquirrelMail SquirrelMail 1.4
SGI ProPack 3.0 SP6
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Open-Enterprise-Server 1
S.u.S.E. Office Server
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Office Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Desktop 4.0
RedHat Desktop 3.0
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
Apple Mac OS X Server 10.4.10
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.3.9
Apple Mac OS X 10.4.10
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9

- 漏洞讨论

SquirrelMail is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

A successful exploit may allow unauthorized users to view files and to execute local scripts; other attacks are also possible.

- 漏洞利用

Attackers can exploit this issue via a web client.

An example URI has been provided:

- 解决方案

Please see the referenced advisories for more information.


SquirrelMail SquirrelMail 1.4.5

Apple Mac OS X Server 10.3.9

Apple Mac OS X 10.3.9

Apple Mac OS X 10.4.10

Apple Mac OS X Server 10.4.10

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站