CVE-2006-2914
CVSS5.1
发布时间 :2006-06-23 15:06:00
修订时间 :2011-03-07 21:37:17
NMCOEPS    

[原文]PHP remote file inclusion vulnerability in DeluxeBB 1.06 allows remote attackers to execute arbitrary code via a URL in the templatefolder parameter to (1) postreply.php, (2) posting.php, (3) and pm/newpm.php in the deluxe/ directory, and (4) postreply.php, (5) posting.php, and (6) pm/newpm.php in the default/ directory.


[CNNVD]DeluxeBB 多个脚本远程文件包含漏洞(CNNVD-200606-488)

        DeluxeBB是一款基于PHP的论坛程序。
        DeluxeBB对用户请求的处理存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意指令。
        DeluxeBB的多个脚本没有对templatefolder参数做充分的检查过滤,允许攻击者通过恶意参数串包含远程服务器上的脚本PHP代码执行。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2914
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2914
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-488
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2347
(UNKNOWN)  VUPEN  ADV-2006-2347
http://www.securityfocus.com/bid/18455
(UNKNOWN)  BID  18455
http://www.securityfocus.com/archive/1/archive/1/437228/100/100/threaded
(UNKNOWN)  BUGTRAQ  20060614 Secunia Research: DeluxeBB SQL Injection and File InclusionVulnerabilities
http://securitytracker.com/id?1016309
(UNKNOWN)  SECTRACK  1016309
http://secunia.com/secunia_research/2006-44/advisory
(VENDOR_ADVISORY)  MISC  http://secunia.com/secunia_research/2006-44/advisory
http://secunia.com/advisories/20152
(VENDOR_ADVISORY)  SECUNIA  20152
http://xforce.iss.net/xforce/xfdb/27090
(UNKNOWN)  XF  deluxebb-templatefolder-file-include(27090)
http://www.securityfocus.com/archive/1/archive/1/438597/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060628 Secunia Research: DeluxeBB SQL Injection and File InclusionVulnerabilities
http://www.osvdb.org/26463
(UNKNOWN)  OSVDB  26463
http://www.osvdb.org/26462
(UNKNOWN)  OSVDB  26462
http://www.osvdb.org/26461
(UNKNOWN)  OSVDB  26461
http://www.osvdb.org/26460
(UNKNOWN)  OSVDB  26460
http://www.osvdb.org/26459
(UNKNOWN)  OSVDB  26459
http://www.osvdb.org/26458
(UNKNOWN)  OSVDB  26458
http://securityreason.com/securityalert/1134
(UNKNOWN)  SREASON  1134

- 漏洞信息

DeluxeBB 多个脚本远程文件包含漏洞
中危 输入验证
2006-06-23 00:00:00 2006-06-26 00:00:00
远程  
        DeluxeBB是一款基于PHP的论坛程序。
        DeluxeBB对用户请求的处理存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意指令。
        DeluxeBB的多个脚本没有对templatefolder参数做充分的检查过滤,允许攻击者通过恶意参数串包含远程服务器上的脚本PHP代码执行。

- 公告与补丁

        暂无数据

- 漏洞信息 (1916)

DeluxeBB <= 1.06 (templatefolder) Remote File Include Vulnerabilities (EDBID:1916)
php webapps
2006-06-15 Verified
0 Andreas Sandblad
N/A [点击下载]
Secunia Research has discovered some vulnerabilities in DeluxeBB,
which can be exploited by malicious people to conduct SQL injection
attacks and compromise a vulnerable system.

1) Input passed to the "templatefolder" parameter in various scripts
isn't properly verified, before it is used to include files. This can
be exploited to include arbitrary files from external and local
resources.

Examples:
http://[host]/templates/deluxe/postreply.php?templatefolder=[file]
http://[host]/templates/deluxe/posting.php?templatefolder=[file]
http://[host]/templates/deluxe/pm/newpm.php?templatefolder=[file]
http://[host]/templates/default/postreply.php?templatefolder=[file]
http://[host]/templates/default/posting.php?templatefolder=[file]
http://[host]/templates/default/pm/newpm.php?templatefolder=[file]

# milw0rm.com [2006-06-15]
		

- 漏洞信息 (F47543)

secunia-deluxebb.txt (PacketStormID:F47543)
2006-06-21 00:00:00
Andreas Sandblad  secunia.com
exploit,vulnerability,sql injection
CVE-2006-2914,CVE-2006-2915
[点击下载]

Secunia Research has discovered some vulnerabilities in DeluxeBB version 1.06, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system.

======================================================================

                     Secunia Research 14/06/2006

    - DeluxeBB SQL Injection and File Inclusion Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

DeluxeBB 1.06

Other versions may also be affected.

Product link:
http://www.deluxebb.com/

======================================================================
2) Severity

Rating: Highly critical
Impact: System access, manipulation of data
Where:  From remote

======================================================================
3) Description of Vulnerabilities

Secunia Research has discovered some vulnerabilities in DeluxeBB, 
which can be exploited by malicious people to conduct SQL injection 
attacks and compromise a vulnerable system.

1) Input passed to the "templatefolder" parameter in various scripts 
isn't properly verified, before it is used to include files. This can 
be exploited to include arbitrary files from external and local 
resources.

Examples:
http://[host]/templates/deluxe/postreply.php?templatefolder=[file]
http://[host]/templates/deluxe/posting.php?templatefolder=[file]
http://[host]/templates/deluxe/pm/newpm.php?templatefolder=[file]
http://[host]/templates/default/postreply.php?templatefolder=[file]
http://[host]/templates/default/posting.php?templatefolder=[file]
http://[host]/templates/default/pm/newpm.php?templatefolder=[file]

Successful exploitation requires that "register_globals" is enabled.

2) Input passed to the "hideemail", "languagex", "xthetimeoffset", 
and "xthetimeformat" parameters when registering for an account 
isn't properly sanitised before being used in a SQL query. This can 
be exploited to manipulate SQL queries by injecting arbitrary SQL 
code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerabilities have been confirmed in version 1.06. Other 
versions may also be affected.

======================================================================
4) Solution

Edit the source code to ensure that input is properly sanitised and 
verified.

======================================================================
5) Time Table

26/05/2006 - Initial vendor notification.
14/06/2006 - Public disclosure.

======================================================================
6) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2006-2914 (file inclusion) and CVE-2006-2915 (SQL injection) 
for the vulnerabilities.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-44/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

    

- 漏洞信息

26458
DeluxeBB deluxe/postreply.php templatefolder Parameter Remote File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

DeluxeBB contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the templates/deluxe/postreply.php script not properly sanitizing user input supplied to the 'templatefolder' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

- 时间线

2006-06-14 2006-05-26
2006-06-14 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

DeluxeBB Multiple Remote File Include Vulnerabilities
Input Validation Error 18455
Yes No
2006-06-15 12:00:00 2006-06-28 07:00:00
Andreas Sandblad is credited with the discovery of these vulnerabilities.

- 受影响的程序版本

DeluxeBB DeluxeBB 1.06

- 漏洞讨论

DeluxeBB is prone to multiple remote file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

These issues affect version 1.06; other versions may also be vulnerable.

- 漏洞利用

This issue can be exploited through a web client.

The following proof-of-concept URIs are available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.commailto:vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站