当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098094

漏洞标题:中国环境检测总站任意文件下载漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 假面,

提交时间:2015-02-27 16:54

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:任意文件遍历/下载

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-27: 细节已通知厂商并且等待厂商处理中
2015-03-04: 厂商已经确认,细节仅向厂商公开
2015-03-14: 细节向核心白帽子及相关领域专家公开
2015-03-24: 细节向普通白帽子公开
2015-04-03: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

http://www.cnemc.cn/news/downLoad.jsp?filePath=

详细说明:

http://www.cnemc.cn/news/downLoad.jsp?filePath=
http://www.cnemc.cn/news/downLoad.jsp?filePath=news/downLoad.jsp

漏洞证明:

<%@ page contentType="text/html;charset=gbk"%>
<%@ page import="java.io.File"%>
<%@ page import="java.io.*"%>
<%@ page import="java.net.*"%>
<%
 
String filePath = request.getParameter("filePath");
String root = request.getRealPath("/");                     
String fileName = "";
filePath=filePath.replaceAll("..//", "");
filePath=filePath.replaceAll("WEB-INF", "");
String describe = request.getParameter("describe");
File fileInfo = new File(root+filePath);
if (!fileInfo.exists()) {
	%>
		<script type="text/javascript">
			alert("下载文件不存在!");
			window.close();
		</script>
	
	<%
	return;
}else{
	
	fileName = fileInfo.getName();
	System.out.println(fileInfo.getAbsolutePath());
}
if(fileName.equals("")){
	%>
		<script type="text/javascript">
			alert("下载文件不存在!");
			window.close();
		</script>
	
	<%
	return;
}
String _fileName = fileName;
StringBuffer s = new StringBuffer(URLEncoder.encode(_fileName,"UTF-8"));
_fileName = s.toString().replaceAll("[+]","%20"); 
response.reset();
//后缀名
String fileExt = "";
int k = _fileName.substring(0,_fileName.indexOf(".")).length();
fileExt = _fileName.substring(k,_fileName.length());
String title = "";
if(!("").equals(describe)){
	title = describe+fileExt;
}else{
	title = fileName.substring(fileName.indexOf("."),fileName.length());
}
if(title.indexOf("docx") >0){
	
	response.setContentType("application/vnd.openxmlformats-officedocument.wordprocessingml.document; charset=GBK");     //linux
}else if(title.indexOf("xlsx") >0){
	response.setContentType("application/vnd.openxmlformats-officedocument.spreadsheetml.sheet; charset=GBK");     //linux
}else if(title.indexOf("pptx")>0){
	response.setContentType("application/vnd.openxmlformats-officedocument.presentationml.presentation; charset=GBK");     //linux
}else if(title.indexOf("pdf") >0){
	 response.setContentType("application/pdf");     //linux
}
else{
	response.setContentType("application/octet-stream; charset=GBK");     //linux
}
//response.addHeader("Content-Disposition", "attachment; filename=\""+DateProcess.getNum()+title+"\"");
if (fileName.length() > 22) {
 	String guessCharset = "gb2312";
	 _fileName = new String(fileName.getBytes(guessCharset), "ISO8859-1"); 
}
response.addHeader("Content-Disposition", "attachment; filename="+ new String(title.getBytes("GBK"), "ISO-8859-1"));
 if(title.indexOf("pdf") >0){
	response.setHeader("Content-Disposition", "inline; filename="+new String(title.getBytes("GBK"), "ISO-8859-1"));
}
OutputStream output = null;
FileInputStream fis = null;
try{
  
  File f = new File(root + filePath);
  output = response.getOutputStream();
  fis = new FileInputStream(f);
 
  byte[] b = new byte[(int)f.length()];
  
  int i = 0;
  while((i = fis.read(b)) > 0){
    output.write(b, 0, i);
  }
  output.flush();
}
catch(Exception e){
  e.printStackTrace();
}
finally{
  if(fis != null){
    fis.close();
    fis = null;
  }
  if(output != null){
    output.close();
    output = null;
  }
 response.flushBuffer();
out.clear();
out = pageContext.pushBody();
}
%>

修复方案:

你们比我懂~

版权声明:转载请注明来源 假面,@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-03-04 09:11

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无