当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106885

漏洞标题:EduSoho 最新版两处泄露accessKey和secretKey

相关厂商:edusoho.com

漏洞作者: izy

提交时间:2015-04-13 18:16

修复时间:2015-07-14 09:28

公开时间:2015-07-14 09:28

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-13: 细节已通知厂商并且等待厂商处理中
2015-04-15: 厂商已经确认,细节仅向厂商公开
2015-04-18: 细节向第三方安全合作伙伴开放
2015-06-09: 细节向核心白帽子及相关领域专家公开
2015-06-19: 细节向普通白帽子公开
2015-06-29: 细节向实习白帽子公开
2015-07-14: 细节向公众公开

简要描述:

可在官网重新绑定,发送云短信,下载安装应用。

详细说明:

出现问题的地方在安装文件/start-install.php

<?php
use Composer\Autoload\ClassLoader;
require __DIR__.'/../../vendor/autoload.php';
$loader = new Twig_Loader_Filesystem(__DIR__ . '/templates');
$twig = new Twig_Environment($loader, array(
    'cache' => false,
));
$twig->addGlobal('edusho_version', \Topxia\System::VERSION);
$step =intval(empty($_GET['step']) ? 0 : $_GET['step']);
$functionName = 'install_step' . $step;
$functionName();
use Topxia\Service\Common\ServiceKernel;
use Topxia\Service\User\CurrentUser;
use Topxia\Service\CloudPlatform\KeyApplier;
use Symfony\Component\HttpFoundation\ParameterBag;
function check_installed()
{
    if (array_key_exists('nokey', $_GET)) {
        setcookie('nokey', 1);
        $_COOKIE['nokey'] = 1;
    }
    if (file_exists(__DIR__ . '/../../app/data/install.lock')) {
        exit('already install.');
    }
}
function install_step0()
{
    check_installed();
    global $twig;
    echo $twig->render('step-0.html.twig', array('step' => 0));
}
function install_step1()
{
    check_installed();
    global $twig;
    $pass = true;
    $env = array();
    $env['os'] = PHP_OS;
    $env['phpVersion'] = PHP_VERSION;
    $env['phpVersionOk'] = version_compare(PHP_VERSION, '5.3.0') >= 0;
    $env['pdoMysqlOk'] = extension_loaded('pdo_mysql');
    $env['uploadMaxFilesize'] = ini_get('upload_max_filesize');
    $env['uploadMaxFilesizeOk'] = intval($env['uploadMaxFilesize']) >= 2;
    $env['postMaxsize'] = ini_get('post_max_size');
    $env['postMaxsizeOk'] = intval($env['postMaxsize']) >= 8;
    $env['maxExecutionTime'] = ini_get('max_execution_time');
    $env['maxExecutionTimeOk'] = ini_get('max_execution_time') >= 30;
    $env['mbstringOk'] = extension_loaded('mbstring');
    $env['gdOk'] = extension_loaded('gd');
    $env['curlOk'] = extension_loaded('curl');
    
    if (!$env['phpVersionOk'] or 
        !$env['pdoMysqlOk'] or 
        !$env['uploadMaxFilesizeOk'] or 
        !$env['postMaxsizeOk'] or 
        !$env['maxExecutionTimeOk'] or
        !$env['mbstringOk'] or
        !$env['curlOk'] or
        !$env['gdOk']) {
        $pass = false;
    }
    $paths = array(
        'app/config/parameters.yml',
        'app/data/udisk',
        'app/data/private_files',
        'web/files',
        'app/cache',
        'app/data',
        'app/logs',
    );
    $checkedPaths = array();
    foreach ($paths as $path) {
        $checkedPath = __DIR__ . '/../../' . $path;
        $checked = is_executable($checkedPath) && is_writable($checkedPath) && is_readable($checkedPath);
        if (PHP_OS == 'WINNT') {
            $checked = true;
        }
        if (!$checked) {
            $pass = false;
        }
        $checkedPaths[$path] = $checked;
    }
    $safemode = ini_get('safe_mode');
    if($safemode == 'On')
       $pass = false;
    echo $twig->render('step-1.html.twig', array(
        'step' => 1,
        'env' => $env,
        'paths' => $checkedPaths,
        'safemode' => $safemode,
        'pass' => $pass
    ));
}
function install_step2()
{
    check_installed();
}
function install_step3()
{
    check_installed();
}
function install_step4()
{
    global $twig;
    
        $userAgent = 'EduSoho Install Client 1.0';
        $connectTimeout = 10;
        $timeout = 10;
        $url = "http://open.edusoho.com/api/v1/block/two_dimension_code";
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_USERAGENT, $userAgent);
        curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, $connectTimeout);
        curl_setopt($curl, CURLOPT_TIMEOUT, $timeout);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_HEADER, 0);
        curl_setopt($curl, CURLOPT_URL, $url );
        $response = curl_exec($curl);
        curl_close($curl);
        $response = json_decode($response, true);
    echo $twig->render('step-4.html.twig', array(
        'step' => 4,
        "response"=>$response,
    ));
}
/**
 * 生产Key
 */
function install_step999()
{
    if (empty($_COOKIE['nokey'])) {
        session_start();
        $connection = _create_connection();
        $serviceKernel = ServiceKernel::create('prod', true);
        $serviceKernel->setParameterBag(new ParameterBag(array(
            'kernel' => array(
                'root_dir' => realpath(__DIR__ . '/../../app'),
            )
        )));
        $serviceKernel->setConnection($connection);
        $init = new SystemInit();
        $key = $init->initKey();
        echo json_encode($key);
    } else {
        echo json_encode(array(
            'accessKey' => '__NOKEY__',
            'secretKey' => '__NOKEY__',
        ));
    }
}


程序有判断是否安装过,但是遗漏了两处;
第一处在step4、第二处在step999;
这两个函数都没有限制访问、也没有check_installed。
看到step4和step999直接输出了accessKey和secretKey。

echo $twig->render('step-4.html.twig', array(
        'step' => 4,
        "response"=>$response,
    ));


访问测试一下

屏幕快照 2015-04-09 下午5.19.00.png

屏幕快照 2015-04-09 下午5.18.32.png


登陆官网重新授权:
点击重新绑定后,绑定另外一个站的授权成功

屏幕快照 2015-04-09 下午5.20.55.png


然后我们就可以给网站用户发送云短信,安装应用了

屏幕快照 2015-04-09 下午5.22.29.png


漏洞证明:

屏幕快照 2015-04-09 下午5.19.00.png

修复方案:

访问限制

版权声明:转载请注明来源 izy@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-04-15 09:26

厂商回复:

感谢izy

最新状态:

2015-04-15:已对所有商业客户进行了修复。并更新了升级包。