CVE-2006-2931
CVSS5.1
发布时间 :2006-06-21 15:02:00
修订时间 :2011-03-07 21:37:19
NMCOP    

[原文]CMS Mundo before 1.0 build 008 does not properly verify uploaded image files, which allows remote attackers to execute arbitrary PHP code by uploading and later directly accessing certain files.


[CNNVD]CMS MUNDO 图像文件上传 任意代码执行漏洞(CNNVD-200606-396)

        CMS Mundo 未正确检验上传的图像文件,远程攻击者可以通过上传特定的文件,然后再直接访问该文件,来执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:hotwebscripts:cms_mundo:1.0
cpe:/a:hotwebscripts:cms_mundo:1.0_build_007

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2931
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2931
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-396
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2348
(UNKNOWN)  VUPEN  ADV-2006-2348
http://securitytracker.com/id?1016311
(UNKNOWN)  SECTRACK  1016311
http://secunia.com/secunia_research/2006-43/advisory/
(VENDOR_ADVISORY)  MISC  http://secunia.com/secunia_research/2006-43/advisory/
http://xforce.iss.net/xforce/xfdb/27094
(UNKNOWN)  XF  cmsmundo-php-file-upload(27094)
http://www.securityfocus.com/archive/1/archive/1/437183/100/200/threaded
(UNKNOWN)  BUGTRAQ  20060614 Secunia Research: CMS Mundo SQL Injection and File UploadVulnerabilities
http://www.osvdb.org/26465
(UNKNOWN)  OSVDB  26465
http://secunia.com/advisories/20362
(UNKNOWN)  SECUNIA  20362

- 漏洞信息

CMS MUNDO 图像文件上传 任意代码执行漏洞
中危 输入验证
2006-06-21 00:00:00 2006-06-22 00:00:00
远程  
        CMS Mundo 未正确检验上传的图像文件,远程攻击者可以通过上传特定的文件,然后再直接访问该文件,来执行任意PHP代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (F47542)

secunia-cmsMundo.txt (PacketStormID:F47542)
2006-06-21 00:00:00
Andreas Sandblad  secunia.com
advisory,vulnerability,sql injection
CVE-2006-2911,CVE-2006-2931
[点击下载]

Secunia Research has discovered two vulnerabilities in CMS Mundo version 1.0 build 007, which can be exploited by malicious people to conduct SQL injection attacks and compromise a vulnerable system.

======================================================================

                     Secunia Research 14/06/2006

     - CMS Mundo SQL Injection and File Upload Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

CMS Mundo 1.0 build 007

Prior versions may also be affected.

Product Link:
http://www.hotwebscripts.com/index.php?mod=webshop&function=
showDetails&id=76

======================================================================
2) Severity

Rating: Highly critical
Impact: System access, manipulation of data
Where:  From remote

======================================================================
3) Description of Vulnerabilities

Secunia Research has discovered two vulnerabilities in CMS Mundo, 
which can be exploited by malicious people to conduct SQL injection 
attacks and compromise a vulnerable system.

1) Input passed to the "username" parameter in "controlpanel/" 
during login isn't properly sanitised before being used in a 
SQL query. This can be exploited to manipulate SQL queries by 
injecting arbitrary SQL code.

This can further be exploited to bypass the authentication process 
and access the administration section (by e.g. providing 
"admin ' /*" as the username together with an empty password).

Successful exploitation requires that "magic_quotes_gpc" is disabled.

2) An input validation error in the image upload handling in the 
image gallery can be exploited to upload arbitrary PHP scripts to a 
predictable location inside the web root.

Successful exploitation requires access to the administration section.

A combination of vulnerabilities #1 and #2 can be exploited by a 
malicious person to execute arbitrary PHP code on a vulnerable system.

The vulnerabilities have been confirmed in version 1.0 build 007. 
Prior versions may also be affected.

======================================================================
4) Solution

Update to version 1.0 build 008.

======================================================================
5) Time Table

30/05/2006 - Initial vendor notification.
30/05/2006 - Vendor confirms vulnerabilities.
14/06/2006 - Public disclosure.

======================================================================
6) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2006-2911 (SQL injection) and 
CVE-2006-2931 (arbitrary file upload) for the vulnerabilities.

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia website:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2006-43/advisory/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

    

- 漏洞信息

26465
CMS Mundo Image Upload Handling Arbitrary PHP Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

CMS Mundo contains a flaw that may allow a malicious user to execute arbitrary PHP code. The issue is triggered when a user uploads specific image files (not properly verified). It is possible that the flaw may allow arbitrary PHP scripts upload and execution resulting in a loss of integrity.

- 时间线

2006-06-14 Unknow
2006-06-14 Unknow

- 解决方案

Upgrade to version 1.0 build 008 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站