English
¢¸¢· µÚ·Î
Ãë¾àÁ¡ID 21866
À§Çèµµ 40
Æ÷Æ® 80, ...
ÇÁ·ÎÅäÄÝ TCP
ºÐ·ù CGI
»ó¼¼¼³¸í ÇØ´ç PHP iCalendar´Â 'publish.ical.php' ½ºÅ©¸³Æ®¸¦ ÅëÇØ ·ÎÄà ÆÄÀÏ Include Ãë¾àÁ¡¿¡ Ãë¾àÇÏ´Ù. PHP iCalendar´Â PHP·Î Á¦ÀÛµÈ À¥ ±â¹ÝÀÇ ´Þ·Â ºä¾î / Æļ­(parser)ÀÌ´Ù. PHP iCalendar ¹öÀü 2.21°ú ±× ÀÌÀüÀÇ ¹öÀüµé¿¡ ÀÖ´Â 'publish.ical.php' ½ºÅ©¸³Æ®´Â calendars µð·ºÅ丮¿¡ ´ëÇÑ ¾²±â ±ÇÇÑÀÇ Á¢±Ù¿¡ ´ëÇÑ ÀÎÁõÀ» ¿ä±¸ÇÏÁö ¾Ê´Â´Ù. ÀÌ´Â ¿ø°ÝÁöÀÇ °ø°ÝÀÚ°¡ ÀÓÀÇÀÇ ÆÄÀϵéÀ» ¾÷·Îµå(upload)ÇÒ ¼ö ÀÖ°Ô ÇØ ÁØ´Ù. 'X-WR-CALNAME' Àμö¿¡ NULL ¹®ÀÚ¸¦ Æ÷ÇÔÇÑ ÆÄÀϸíÀ» °¡Áø Àß Á¶ÀÛµÈ PUT ¿äûÀ» 'publish.ical.php' ½ºÅ©¸³Æ®·Î º¸³¿À¸·Î½á, ¿ø°ÝÁöÀÇ °ø°ÝÀÚ´Â ¿µÇâÀ» ¹Þ´Â È£½ºÆ® »ó¿¡ ÀÓÀÇÀÇ PHP ½ºÅ©¸³Æ®µéÀ» ¾÷·ÎµåÇÏ°í ½ÇÇàÇÒ ¼ö ÀÖ´Ù.

* Âü°í »çÀÌÆ®:
http://downloads.securityfocus.com/vulnerabilities/exploits/php-iCalendar-221.upload.php
http://secunia.com/advisories/19285/

* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
PHP iCalendar ¹öÀü 2.21°ú ±× ÀÌÀüÀÇ ¹öÀüµé
¸ðµç ¿î¿µÃ¼Á¦ ¸ðµç ¹öÀü
ÇØ°áÃ¥ SourceForge.net ´Ù¿î·Îµå À¥ »çÀÌÆ®ÀÎ http://sourceforge.net/project/showfiles.php?group_id=62270 ¿¡¼­ ÃֽŹöÀüÀÇ PHP iCalendar·Î ¾÷±×·¹À̵å ÇÏ¿©¾ß ÇÑ´Ù.

Àӽà Á¶Ä¡¹æ¹ýÀ¸·Î´Â, ¾îÇø®ÄÉÀ̼ÇÀÇ 'config.inc.php' ÆÄÀÏÀ» ÆíÁýÇÏ¿© '$phpicalendar_publishing'À» 0À¸·Î ¼³Á¤ÇÔÀ¸·Î½á calendarÀÇ ¾÷·Îµå(upload) ±â´ÉÀ» ÁßÁö½ÃÄÑ¾ß ÇÑ´Ù.
°ü·Ã URL CVE-2006-1291 (CVE)
°ü·Ã URL 17129 (SecurityFocus)
°ü·Ã URL (ISS)