Qualiteam X-Cart远程命令执行漏洞-安全小百科

Qualiteam X-Cart远程命令执行漏洞

漏洞ID	1107681	漏洞类型	输入验证
发布时间	2004-02-03	更新时间	2005-10-20
CVE编号	CVE-2004-0241	CNNVD-ID	CNNVD-200411-162
漏洞平台	PHP	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/23637
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200411-162

|漏洞详情

X-Cart是一款基于PHP的电子商务程序。X-Cart没有充分过滤URI的参数值，远程攻击者可以利用这个漏洞以WEB进程权限执行任意命令。问题存在与’admin/general.php’脚本上，由于对[perl_binary]参数值缺少充分过滤，提交任意SHELL命令，可导致以WEB进程权限在系统上执行任意命令。

|漏洞EXP

source: http://www.securityfocus.com/bid/9560/info
 
X-Cart has been reported to be prone to an issue that may allow remote attackers to execute arbitrary commands on the affected system. The issue is caused by a failure of the application to sanitize values specified by parameters in the URI. 

http://server/admin/upgrade.php?prepatch_errorcode=1&patch_files[0][orig_file]=VERSION&perl_binary=/bin/rm -rf &patch_exe=..

|参考资料

来源:BID
名称:9560
链接:http://www.securityfocus.com/bid/9560
来源:XF
名称:xcart-perlbinary-execute-commands(15034)
链接:http://xforce.iss.net/xforce/xfdb/15034
来源:BUGTRAQ
名称:20040203X-Cartvulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107582648326448&w;=2

相关推荐: PvPGN GameReport Packet Handler Remote Buffer Overflow Vulnerability

PvPGN GameReport Packet Handler Remote Buffer Overflow Vulnerability 漏洞ID 1097678 漏洞类型 Boundary Condition Error 发布时间 2004-11-09 更新…

文章版权归作者所有，未经允许请勿转载。

THE END