BUGTRAQ ID: 30091 1024是基于PHP和MySQL的内容管理系统。 1024 CMS中存在多个文件包含漏洞,允许恶意用户泄露敏感信息或入侵有漏洞的系统。 1) themes/blog/layouts/standard.php、themes/default/layouts/standard.php、themes/portfolio/layouts/standard.php和themes/snazzy/layouts/standard.php文件中没有正确地验证对page_include参数的输入便用于包含文件,这可能导致包含本地或外部资源的任意文件。成功攻击要求打开了register_globals。 2) 多个文件没有正确的验证对各种参数的输入便用于包含文件,这可能导致包含本地资源的任意文件。成功攻击要求禁用了magic_quotes_gpc。以下是受影响的参数和文件。 theme_dir和page参数: themes/blog/layouts/standard.php themes/default/layouts/standard.php themes/portfolio/layouts/standard.php themes/snazzy/layouts/standard.php themes/blog/layouts/total.php themes/default/layouts/total.php themes/portfolio/layouts/total.php themes/snazzy/layouts/total.php lang参数: admin/lang/fr/reports/default.php lang/en/moderator/default.php lang/fr/moderator/default.php lang/de/moderator/default.php admin_theme_dir参数: admin/ops/admins/default.php admin/ops/reports/ops/download.php admin/ops/reports/ops/forum.php admin/ops/reports/ops/news.php theme_dir参数:...
BUGTRAQ ID: 30091 1024是基于PHP和MySQL的内容管理系统。 1024 CMS中存在多个文件包含漏洞,允许恶意用户泄露敏感信息或入侵有漏洞的系统。 1) themes/blog/layouts/standard.php、themes/default/layouts/standard.php、themes/portfolio/layouts/standard.php和themes/snazzy/layouts/standard.php文件中没有正确地验证对page_include参数的输入便用于包含文件,这可能导致包含本地或外部资源的任意文件。成功攻击要求打开了register_globals。 2) 多个文件没有正确的验证对各种参数的输入便用于包含文件,这可能导致包含本地资源的任意文件。成功攻击要求禁用了magic_quotes_gpc。以下是受影响的参数和文件。 theme_dir和page参数: themes/blog/layouts/standard.php themes/default/layouts/standard.php themes/portfolio/layouts/standard.php themes/snazzy/layouts/standard.php themes/blog/layouts/total.php themes/default/layouts/total.php themes/portfolio/layouts/total.php themes/snazzy/layouts/total.php lang参数: admin/lang/fr/reports/default.php lang/en/moderator/default.php lang/fr/moderator/default.php lang/de/moderator/default.php admin_theme_dir参数: admin/ops/admins/default.php admin/ops/reports/ops/download.php admin/ops/reports/ops/forum.php admin/ops/reports/ops/news.php theme_dir参数: pages/download/default/ops/add.php pages/download/default/ops/edit.php pages/download/default/ops/newest.php pages/download/default/ops/search.php pages/download/default/ops/top.php pages/forum/default/content.php themes/blog/layouts/basic_footer.php themes/default/layouts/basic_footer.php themes/portfolio/layouts/basic_footer.php themes/snazzy/layouts/basic_footer.php themes/blog/layouts/basic_header.php themes/default/layouts/basic_header.php themes/portfolio/layouts/basic_header.php themes/snazzy/layouts/basic_header.php page、page_include和theme_dir参数: themes/blog/layouts/print.php themes/default/layouts/print.php themes/portfolio/layouts/print.php themes/snazzy/layouts/print.php Treble Designs 1024 CMS 1.4.4 RFC Treble Designs 1024 CMS 1.4.3 Treble Designs -------------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://www.1024cms.com/ target=_blank>http://www.1024cms.com/</a>
