安全研究
安全漏洞
Ajax File and Image Manager 'data.php' PHP代码注入漏洞
发布日期:2011-11-04
更新日期:2011-11-04
受影响系统:
phpletter Ajax File and Image Manager 1.0描述:
BUGTRAQ ID: 50523
CVE(CAN) ID: CVE-2011-4825
Ajax File and Image Manager是远程管理文件和图形的工具。
Ajax File and Image Manager 1.0 及其他版本inc/function.base.php存在静态代码注入漏洞,可允许远程攻击者通过特制的参数注入任意PHP代码。
<*来源:EgiX (n0b0d13s@gmail.com)
链接:http://www[.]2cto[.]com/Article/201206/134423.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Ajax File and Image Manager v1.0 Final Remote Code Execution Vulnerability
--------------------------------------------------------------------------
author...........: Egidio Romano aka EgiX
mail.............: n0b0d13s[at]gmail[dot]com
software link....: http://www.phpletter.com/
[-] Vulnerability explanation:
The vulnerable code is located into /ajaxfilemanager/ajax_create_folder.php:
11. @ob_start();
12. displayArray($_POST);
13. writeInfo(@ob_get_clean());
this script start the output buffering at line 11 and then call the 'displayArray'
function that simply displays the $_POST array content with the print_r() function,
and finally at line 13 is called the 'writeInfo' function using the current buffer
contents as parameter (that is the $_POST array content). Now look at the 'writeInfo'
function body defined into /ajaxfilemanager/inc/function.base.php:
228. function writeInfo($data, $die = false)
229. {
230. $fp = @fopen(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'data.php', 'w+');
231. @fwrite($fp, $data);
232. @fwrite($fp, "\n\n" . date('d/M/Y H:i:s') );
233. @fclose($fp);
It writes the $data paramater into a file called 'data.php' without any check,
so an attacker could be able to inject and execute arbitrary PHP code.
[-] Disclosure timeline:
[21/10/2011] - Vulnerability discovered
[24/10/2011] - Issue reported via e-mail
[25/10/2011] - Vendor replied that a fix will be released in the next version
[04/11/2011] - Public disclosure
建议:
厂商补丁:
phpletter
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.phpletter.com/
浏览次数:2478
严重程度:0(网友投票)
绿盟科技给您安全的保障