乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-05: 细节已通知厂商并且等待厂商处理中 2015-01-10: 厂商已经主动忽略漏洞,细节向公众公开
php.net本地文件读取漏洞(限DOCUMENT_ROOT下),可遍历下载整站文件。
任意文件读取位于:
http://php.net/cached.php?f=cached.php&t=1419999608
cached.php文件代码:
<?php/* Yes, we know this can be used to view the source for any file in the docroot directory. This is intentional and not an LFI vulnerability. The source code for everything in the docroot is publicly available at https://github.com/php/web-php so there is no vulnerability here. You can't use this to view anything that is private.*/ $_SERVER['BASE_PAGE'] = 'cached.php';include_once 'include/prepend.inc';if (!isset($_GET["f"])) { header("Location: http://php.net/"); exit;}$pwd = realpath($_SERVER["DOCUMENT_ROOT"]);$abs = $pwd. "/" .(string)$_GET["f"];$abs = realpath($abs);if (strncmp($abs, $pwd, strlen($pwd)) != 0) { header("Location: http://php.net/" . strtr($_GET["f"],array("\r"=>"","\n"=>""))); exit;}if (isset($_GET["t"])) { $time = (int)$_GET["t"];} else { $time = filemtime($abs);}$tsstring = gmdate("D, d M Y H:i:s ", $time) . "GMT";if (isset($_SERVER["HTTP_IF_MODIFIED_SINCE"]) && ($_SERVER["HTTP_IF_MODIFIED_SINCE"] == $tsstring)) { header("HTTP/1.1 304 Not Modified"); exit;}header("Last-Modified: " . $tsstring);header("Cache-Control: no-transform,public,max-age=2678400,s-maxage=2678400");if (substr($abs, -3) == ".js" || substr($abs, -5) == ".json") { header("Content-Type: application/javascript");} elseif (substr($abs, -4) == ".css") { header("Content-Type: text/css");}readfile($abs);
因为该文件检查了参数f指定的文件是否位于当前目录下,所以仅可读取Document Root下的文件,任意类型。比如:
http://php.net/cached.php?f=index.php&t=1419999608http://php.net/cached.php?f=include/prepend.inc&t=1419999608http://php.net/cached.php?f=include/pregen-confs.inc&t=1419999608http://php.net/cached.php?f=/include/pregen-news.inc&t=1419999608http://php.net/cached.php?f=/include/gpg-keys.inc&t=1419999608http://php.net/cached.php?f=/images/logo.php&t=1419999608http://php.net/cached.php?f=/include/manual-lookup.inc&t=1419999608
阅读了几个源文件,找到搜索的地方,使用的是sqlite数据库:http://php.net/backend/manual-lookup.sqlite
http://php.net/cached.php?f=/backend/index.php&t=1419999608
IP to counrty db:
http://php.net/backend/ip-to-country.db
可下载php.net所有源文件逐个进行安全审计,这个重体力活无法完成。。。我自己不写php。
危害等级:无影响厂商忽略
忽略时间:2015-01-10 14:10
暂无