当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-09322

漏洞标题:图虫网某系统补丁不及时导致危害!

相关厂商:图虫网

漏洞作者: _Evil

提交时间:2012-07-07 18:21

修复时间:2012-08-21 18:22

公开时间:2012-08-21 18:22

漏洞类型:系统/服务补丁不及时

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-07-07: 细节已通知厂商并且等待厂商处理中
2012-07-10: 厂商已经确认,细节仅向厂商公开
2012-07-20: 细节向核心白帽子及相关领域专家公开
2012-07-30: 细节向普通白帽子公开
2012-08-09: 细节向实习白帽子公开
2012-08-21: 细节向公众公开

简要描述:

= =忽略了我发的Xss

详细说明:

http://zone.wooyun.org/content/508 利用+修复


亲们快修复吧~!!!

漏洞证明:

<string>Method "PD9waHAKLyoqCiAqIFplbmQgRnJhbWV3b3JrCiAqCiAqIExJQ0VOU0UKICoKICogVGhpcyBzb3VyY2UgZmlsZSBpcyBzdWJqZWN0IHRvIHRoZSBuZXcgQlNEIGxpY2Vuc2UgdGhhdCBpcyBidW5kbGVkCiAqIHdpdGggdGhpcyBwYWNrYWdlIGluIHRoZSBmaWxlIExJQ0VOU0UudHh0LgogKiBJdCBpcyBhbHNvIGF2YWlsYWJsZSB0aHJvdWdoIHRoZSB3b3JsZC13aWRlLXdlYiBhdCB0aGlzIFVSTDoKICogaHR0cDovL2ZyYW1ld29yay56ZW5kLmNvbS9saWNlbnNlL25ldy1ic2QKICogSWYgeW91IGRpZCBub3QgcmVjZWl2ZSBhIGNvcHkgb2YgdGhlIGxpY2Vuc2UgYW5kIGFyZSB1bmFibGUgdG8KICogb2J0YWluIGl0IHRocm91Z2ggdGhlIHdvcmxkLXdpZGUtd2ViLCBwbGVhc2Ugc2VuZCBhbiBlbWFpbAogKiB0byBsaWNlbnNlQHplbmQuY29tIHNvIHdlIGNhbiBzZW5kIHlvdSBhIGNvcHkgaW1tZWRpYXRlbHkuCiAqCiAqIEBjYXRlZ29yeSAgIFplbmQKICogQHBhY2thZ2UgICAgWmVuZF9Db250cm9sbGVyCiAqIEBjb3B5cmlnaHQgIENvcHlyaWdodCAoYykgMjAwNS0yMDExIFplbmQgVGVjaG5vbG9naWVzIFVTQSBJbmMuIChodHRwOi8vd3d3LnplbmQuY29tKQogKiBAbGljZW5zZSAgICBodHRwOi8vZnJhbWV3b3JrLnplbmQuY29tL2xpY2Vuc2UvbmV3LWJzZCAgICAgTmV3IEJTRCBMaWNlbnNlCiAqLwoKLyoqCiAqIFplbmRfWG1sUnBjX1ZhbHVlCiAqLwovL3JlcXVpcmVfb25jZSAnWmVuZC9YbWxScGMvVmFsdWUucGhwJzsKCi8qKgogKiBaZW5kX1htbFJwY19GYXVsdAogKi8KLy9yZXF1aXJlX29uY2UgJ1plbmQvWG1sUnBjL0ZhdWx0LnBocCc7CgovKioKICogWG1sUnBjIFJlcXVlc3Qgb2JqZWN0CiAqCiAqIEVuY2Fwc3VsYXRlcyBhbiBYbWxScGMgcmVxdWVzdCwgaG9sZGluZyB0aGUgbWV0aG9kIGNhbGwgYW5kIGFsbCBwYXJhbWV0ZXJzLgogKiBQcm92aWRlcyBhY2Nlc3NvcnMgZm9yIHRoZXNlLCBhcyB3ZWxsIGFzIHRoZSBhYmlsaXR5IHRvIGxvYWQgZnJvbSBYTUwgYW5kIHRvCiAqIGNyZWF0ZSB0aGUgWE1MIHJlcXVlc3Qgc3RyaW5nLgogKgogKiBBZGRpdGlvbmFsbHksIGlmIGVycm9ycyBvY2N1ciBzZXR0aW5nIHRoZSBtZXRob2Qgb3IgcGFyc2luZyBYTUwsIGEgZmF1bHQgaXMKICogZ2VuZXJhdGVkIGFuZCBzdG9yZWQgaW4ge0BsaW5rICRfZmF1bHR9OyBkZXZlbG9wZXJzIG1heSBjaGVjayBmb3IgaXQgdXNpbmcKICoge0BsaW5rIGlzRmF1bHQoKX0gYW5kIHtAbGluayBnZXRGYXVsdCgpfS4KICoKICogQGNhdGVnb3J5IFplbmQKICogQHBhY2thZ2UgIFplbmRfWG1sUnBjCiAqIEBjb3B5cmlnaHQgIENvcHlyaWdodCAoYykgMjAwNS0yMDExIFplbmQgVGVjaG5vbG9naWVzIFVTQSBJbmMuIChodHRwOi8vd3d3LnplbmQuY29tKQogKiBAbGljZW5zZSAgICBodHRwOi8vZnJhbWV3b3JrLnplbmQuY29tL2xpY2Vuc2UvbmV3LWJzZCAgICAgTmV3IEJTRCBMaWNlbnNlCiAqIEB2ZXJzaW9uICRJZDogUmVxdWVzdC5waHAgMjM3NzUgMjAxMS0wMy0wMSAxNzoyNToyNFogcmFscGggJAogKi8KY2xhc3MgWmVuZF9YbWxScGNfUmVxdWVzdAp7CiAgICAvKioKICAgICAqIFJlcXVlc3QgY2hhcmFjdGVyIGVuY29kaW5nCiAgICAgKiBAdmFyIHN0cmluZwogICAgICovCiAgICBwcm90ZWN0ZWQgJF9lbmNvZGluZyA9ICdVVEYtOCc7CgogICAgLyoqCiAgICAgKiBNZXRob2QgdG8gY2FsbAogICAgICogQHZhciBzdHJpbmcKICAgICAqLwogICAgcHJvdGVjdGVkICRfbWV0aG9kOwoKICAgIC8qKgogICAgICogWE1MIHJlcXVlc3QKICAgICAqIEB2YXIgc3RyaW5nCiAgICAgKi8KICAgIHByb3RlY3RlZCAkX3htbDsKCiAgICAvKioKICAgICAqIE1ldGhvZCBwYXJhbWV0ZXJzCiAgICAgKiBAdmFyIGFycmF5CiAgICAgKi8KICAgIHByb3RlY3RlZCAkX3BhcmFtcyA9IGFycmF5KCk7CgogICAgLyoqCiAgICAgKiBGYXVsdCBvYmplY3QsIGlmIGFueQogICAgICogQHZhciBaZW5kX1htbFJwY19GYXVsdAogICAgICovCiAgICBwcm90ZWN0ZWQgJF9mYXVsdCA9IG51bGw7CgogICAgLyoqCiAgICAgKiBYTUwtUlBDIHR5cGUgZm9yIGVhY2ggcGFyYW0KICAgICAqIEB2YXIgYXJyYXkKICAgICAqLwogICAgcHJvdGVjdGVkICRfdHlwZXMgPSBhcnJheSgpOwoKICAgIC8qKgogICAgICogWE1MLVJQQyByZXF1ZXN0IHBhcmFtcwogICAgICogQHZhciBhcnJheQogICAgICovCiAgICBwcm90ZWN0ZWQgJF94bWxScGNQYXJhbXMgPSBhcnJheSgpOwoKICAgIC8qKgogICAgICogQ3JlYXRlIGEgbmV3IFhNTC1SUEMgcmVxdWVzdAogICAgICoKICAgICAqIEBwYXJhbSBzdHJpbmcgJG1ldGhvZCAob3B0aW9uYWwpCiAgICAgKiBAcGFyYW0gYXJyYXkgJHBhcmFtcyAgKG9wdGlvbmFsKQogICAgICovCiAgICBwdWJsaWMgZnVuY3Rpb24gX19jb25zdHJ1Y3QoJG1ldGhvZCA9IG51bGwsICRwYXJhbXMgPSBudWxsKQogICAgewogICAgICAgIGlmICgkbWV0aG9kICE9PSBudWxsKSB7CiAgICAgICAgICAgICR0aGlzLT5zZXRNZXRob2QoJG1ldGhvZCk7CiAgICAgICAgfQoKICAgICAgICBpZiAoJHBhcmFtcyAhPT0gbnVsbCkgewogICAgICAgICAgICAkdGhpcy0+c2V0UGFyYW1zKCRwYXJhbXMpOwogICAgICAgIH0KICAgIH0KCgogICAgLyoqCiAgICAgKiBTZXQgZW5jb2RpbmcgdG8gdXNlIGluIHJlcXVlc3QKICAgICAqCiAgICAgKiBAcGFyYW0gc3RyaW5nICRlbmNvZGluZwogICAgICogQHJldHVybiBaZW5kX1htbFJwY19SZXF1ZXN0CiAgICAgKi8KICAgIHB1YmxpYyBmdW5jdGlvbiBzZXRFbmNvZGluZygkZW5jb2RpbmcpCiAgICB7CiAgICAgICAgJHRoaXMtPl9lbmNvZGluZyA9ICRlbmNvZGluZzsKICAgICAgICBaZW5kX1htbFJwY19WYWx1ZTo6c2V0RW5jb2RpbmcoJGVuY29kaW5nKTsKICAgICAgICByZXR1cm4gJHRoaXM7CiAgICB9CgogICAgLyoqCiAgICAgKiBSZXRyaWV2ZSBjdXJyZW50IHJlcXVlc3QgZW5jb2RpbmcKICAgICAqCiAgICAgKiBAcmV0dXJuIHN0cmluZwogICAgICovCiAgICBwdWJsaWMgZnVuY3Rpb24gZ2V0RW5jb2RpbmcoKQogICAgewogICAgICAgIHJldHVybiAkdGhpcy0+X2VuY29kaW5nOwogICAgfQoKICAgIC8qKgogICAgICogU2V0IG1ldGhvZCB0byBjYWxsCiAgICAgKgogICAgICogQHBhcmFtIHN0cmluZyAkbWV0aG9kCiAgICAgKiBAcmV0dXJuIGJvb2xlYW4gUmV0dXJucyB0cnVlIG9uIHN1Y2Nlc3MsIGZhbHNlIGlmIG1ldGhvZCBuYW1lIGlzIGludmFsaWQKICAgICAqLwogICAgcHVibGljIGZ1bmN0aW9uIHNldE1ldGhvZCgkbWV0aG9kKQogICAgewogICAgICAgIGlmICghaXNfc3RyaW5nKCRtZXRob2QpIHx8ICFwcmVnX21hdGNoKCcvXlthLXowLTlfLjpcL10rJC9pJywgJG1ldGhvZCkpIHsKICAgICAgICAgICAgJHRoaXMtPl9mYXVsdCA9IG5ldyBaZW5kX1htbFJwY19GYXVsdCg2MzQsICdJbnZhbGlkIG1ldGhvZCBuYW1lICgiJyAuICRtZXRob2QgLiAnIiknKTsKICAgICAgICAgICAgJHRoaXMtPl9mYXVsdC0+c2V0RW5jb2RpbmcoJHRoaXMtPmdldEVuY29kaW5nKCkpOwogICAgICAgICAgICByZXR1cm4gZmFsc2U7CiAgICAgICAgfQoKICAgICAgICAkdGhpcy0+X21ldGhvZCA9ICRtZXRob2Q7CiAgICAgICAgcmV0dXJuIHRydWU7CiAgICB9CgogICAgLyoqCiAgICAgKiBSZXRyaWV2ZSBjYWxsIG1ldGhvZAogICAgICoKICAgICAqIEByZXR1cm4gc3RyaW5nCiAgICAgKi8KICAgIHB1YmxpYyBmdW5jdGlvbiBnZXRNZXRob2QoKQogICAgewogICAgICAgIHJldHVybiAkdGhpcy0+X21ldGhvZDsKICAgIH0KCiAgICAvKioKICAgICAqIEFkZCBhIHBhcmFtZXRlciB0byB0aGUgcGFyYW1ldGVyIHN0YWNrCiAgICAgKgogICAgICogQWRkcyBhIHBhcmFtZXRlciB0byB0aGUgcGFyYW1ldGVyIHN0YWNrLCBhc3NvY2lhdGluZyBpdCB3aXRoIHRoZSB0eXBlCiAgICAgKiAkdHlwZSBpZiBwcm92aWRlZAogICAgICoKICAgICAqIEBwYXJhbSBtaXhlZCAkdmFsdWUKICAgICAqIEBwYXJhbSBzdHJpbmcgJHR5cGUgT3B0aW9uYWw7IHR5cGUgaGludGluZwogICAgICogQHJldHVybiB2b2lkCiAgICAgKi8KICAgIHB1YmxpYyBmdW5jdGlvbiBhZGRQYXJhbSgkdmFsdWUsICR0eXBlID0gbnVsbCkKICAgIHsKICAgICAgICAkdGhpcy0+X3BhcmFtc1tdID0gJHZhbHVlOwogICAgICAgIGlmIChudWxsID09PSAkdHlwZSkgewogICAgICAgICAgICAvLyBEZXRlY3QgdHlwZSBpZiBub3QgcHJvdmlkZWQgZXhwbGljaXRseQogICAgICAgICAgICBpZiAoJHZhbHVlIGluc3RhbmNlb2YgWmVuZF9YbWxScGNfVmFsdWUpIHsKICAgICAgICAgICAgICAgICR0eXBlID0gJHZhbHVlLT5nZXRUeXBlKCk7CiAgICAgICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICAgICAkeG1sUnBjVmFsdWUgPSBaZW5kX1htbFJwY19WYWx1ZTo6Z2V0WG1sUnBjVmFsdWUoJHZhbHVlKTsKICAgICAgICAgICAgICAgICR0eXBlICAgICAgICA9ICR4bWxScGNWYWx1ZS0+Z2V0VHlwZSgpOwogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgICR0aGlzLT5fdHlwZXNbXSAgPSAkdHlwZTsKICAgICAgICAkdGhpcy0+X3htbFJwY1BhcmFtc1tdID0gYXJyYXkoJ3ZhbHVlJyA9PiAkdmFsdWUsICd0eXBlJyA9PiAkdHlwZSk7CiAgICB9CgogICAgLyoqCiAgICAgKiBTZXQgdGhlIHBhcmFtZXRlcnMgYXJyYXkKICAgICAqCiAgICAgKiBJZiBjYWxsZWQgd2l0aCBhIHNpbmdsZSwgYXJyYXkgdmFsdWUsIHRoYXQgYXJyYXkgaXMgdXNlZCB0byBzZXQgdGhlCiAgICAgKiBwYXJhbWV0ZXJzIHN0YWNrLiBJZiBjYWxsZWQgd2l0aCBtdWx0aXBsZSB2YWx1ZXMgb3IgYSBzaW5nbGUgbm9uLWFycmF5CiAgICAgKiB2YWx1ZSwgdGhlIGFyZ3VtZW50cyBhcmUgdXNlZCB0byBzZXQgdGhlIHBhcmFtZXRlcnMgc3RhY2suCiAgICAgKgogICAgICogQmVzdCBpcyB0byBjYWxsIHdpdGggYXJyYXkgb2YgdGhlIGZvcm1hdCwgaW4gb3JkZXIgdG8gYWxsb3cgdHlwZSBoaW50aW5nCiAgICAgKiB3aGVuIGNyZWF0aW5nIHRoZSBYTUxSUEMgdmFsdWVzIGZvciBlYWNoIHBhcmFtZXRlcjoKICAgICAqIDxjb2RlPgogICAgICogJGFycmF5ID0gYXJyYXkoCiAgICAgKiAgICAgYXJyYXkoCiAgICAgKiAgICAgICAgICd2YWx1ZScgPT4gJHZhbHVlLAogICAgICogICAgICAgICAndHlwZScgID0+ICR0eXBlCiAgICAgKiAgICAgKVssIC4uLiBdCiAgICAgKiApOwogICAgICogPC9jb2RlPgogICAgICoKICAgICAqIEBhY2Nlc3MgcHVibGljCiAgICAgKiBAcmV0dXJuIHZvaWQKICAgICAqLwogICAgcHVibGljIGZ1bmN0aW9uIHNldFBhcmFtcygpCiAgICB7CiAgICAgICAgJGFyZ2MgPSBmdW5jX251bV9hcmdzKCk7CiAgICAgICAgJGFyZ3YgPSBmdW5jX2dldF9hcmdzKCk7CiAgICAgICAgaWYgKDAgPT0gJGFyZ2MpIHsKICAgICAgICAgICAgcmV0dXJuOwogICAgICAgIH0KCiAgICAgICAgaWYgKCgxID09ICRhcmdjKSAmJiBpc19hcnJheSgkYXJndlswXSkpIHsKICAgICAgICAgICAgJHBhcmFtcyAgICAgPSBhcnJheSgpOwogICAgICAgICAgICAkdHlwZXMgICAgICA9IGFycmF5KCk7CiAgICAgICAgICAgICR3ZWxsRm9ybWVkID0gdHJ1ZTsKICAgICAgICAgICAgZm9yZWFjaCAoJGFyZ3ZbMF0gYXMgJGFyZykgewogICAgICAgICAgICAgICAgaWYgKCFpc19hcnJheSgkYXJnKSB8fCAhaXNzZXQoJGFyZ1sndmFsdWUnXSkpIHsKICAgICAgICAgICAgICAgICAgICAkd2VsbEZvcm1lZCA9IGZhbHNlOwogICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgJHBhcmFtc1tdID0gJGFyZ1sndmFsdWUnXTsKCiAgICAgICAgICAgICAgICBpZiAoIWlzc2V0KCRhcmdbJ3R5cGUnXSkpIHsKICAgICAgICAgICAgICAgICAgICAkeG1sUnBjVmFsdWUgPSBaZW5kX1htbFJwY19WYWx1ZTo6Z2V0WG1sUnBjVmFsdWUoJGFyZ1sndmFsdWUnXSk7CiAgICAgICAgICAgICAgICAgICAgJGFyZ1sndHlwZSddID0gJHhtbFJwY1ZhbHVlLT5nZXRUeXBlKCk7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAkdHlwZXNbXSA9ICRhcmdbJ3R5cGUnXTsKICAgICAgICAgICAgfQogICAgICAgICAgICBpZiAoJHdlbGxGb3JtZWQpIHsKICAgICAgICAgICAgICAgICR0aGlzLT5feG1sUnBjUGFyYW1zID0gJGFyZ3ZbMF07CiAgICAgICAgICAgICAgICAkdGhpcy0+X3BhcmFtcyA9ICRwYXJhbXM7CiAgICAgICAgICAgICAgICAkdGhpcy0+X3R5cGVzICA9ICR0eXBlczsKICAgICAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgICAgICR0aGlzLT5fcGFyYW1zID0gJGFyZ3ZbMF07CiAgICAgICAgICAgICAgICAkdGhpcy0+X3R5cGVzICA9IGFycmF5KCk7CiAgICAgICAgICAgICAgICAkeG1sUnBjUGFyYW1zICA9IGFycmF5KCk7CiAgICAgICAgICAgICAgICBmb3JlYWNoICgkYXJndlswXSBhcyAkYXJnKSB7CiAgICAgICAgICAgICAgICAgICAgaWYgKCRhcmcgaW5zdGFuY2VvZiBaZW5kX1htbFJwY19WYWx1ZSkgewogICAgICAgICAgICAgICAgICAgICAgICAkdHlwZSA9ICRhcmctPmdldFR5cGUoKTsKICAgICAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgICAgICAkeG1sUnBjVmFsdWUgPSBaZW5kX1htbFJwY19WYWx1ZTo6Z2V0WG1sUnBjVmFsdWUoJGFyZyk7CiAgICAgICAgICAgICAgICAgICAgICAgICR0eXBlICAgICAgICA9ICR4bWxScGNWYWx1ZS0+Z2V0VHlwZSgpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAkeG1sUnBjUGFyYW1zW10gPSBhcnJheSgndmFsdWUnID0+ICRhcmcsICd0eXBlJyA9PiAkdHlwZSk7CiAgICAgICAgICAgICAgICAgICAgJHRoaXMtPl90eXBlc1tdID0gJHR5cGU7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAkdGhpcy0+X3htbFJwY1BhcmFtcyA9ICR4bWxScGNQYXJhbXM7CiAgICAgICAgICAgIH0KICAgICAgICAgICAgcmV0dXJuOwogICAgICAgIH0KCiAgICAgICAgJHRoaXMtPl9wYXJhbXMgPSAkYXJndjsKICAgICAgICAkdGhpcy0+X3R5cGVzICA9IGFycmF5KCk7CiAgICAgICAgJHhtbFJwY1BhcmFtcyAgPSBhcnJheSgpOwogICAgICAgIGZvcmVhY2ggKCRhcmd2IGFzICRhcmcpIHsKICAgICAgICAgICAgaWYgKCRhcmcgaW5zdGFuY2VvZiBaZW5kX1htbFJwY19WYWx1ZSkgewogICAgICAgICAgICAgICAgJHR5cGUgPSAkYXJnLT5nZXRUeXBlKCk7CiAgICAgICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICAgICAkeG1sUnBjVmFsdWUgPSBaZW5kX1htbFJwY19WYWx1ZTo6Z2V0WG1sUnBjVmFsdWUoJGFyZyk7CiAgICAgICAgICAgICAgICAkdHlwZSAgICAgICAgPSAkeG1sUnBjVmFsdWUtPmdldFR5cGUoKTsKICAgICAgICAgICAgfQogICAgICAgICAgICAkeG1sUnBjUGFyYW1zW10gPSBhcnJheSgndmFsdWUnID0+ICRhcmcsICd0eXBlJyA9PiAkdHlwZSk7CiAgICAgICAgICAgICR0aGlzLT5fdHlwZXNbXSA9ICR0eXBlOwogICAgICAgIH0KICAgICAgICAkdGhpcy0+X3htbFJwY1BhcmFtcyA9ICR4bWxScGNQYXJhbXM7CiAgICB9CgogICAgLyoqCiAgICAgKiBSZXRyaWV2ZSB0aGUgYXJyYXkgb2YgcGFyYW1ldGVycwogICAgICoKICAgICAqIEByZXR1cm4gYXJyYXkKICAgICAqLwogICAgcHVibGljIGZ1bmN0aW9uIGdldFBhcmFtcygpCiAgICB7CiAgICAgICAgcmV0dXJuICR0aGlzLT5fcGFyYW1zOwogICAgfQoKICAgIC8qKgogICAgICogUmV0dXJuIHBhcmFtZXRlciB0eXBlcwogICAgICoKICAgICAqIEByZXR1cm4gYXJyYXkKICAgICAqLwogICAgcHVibGljIGZ1bmN0aW9uIGdldFR5cGVzKCkKICAgIHsKICAgICAgICByZXR1cm4gJHRoaXMtPl90eXBlczsKICAgIH0KCiAgICAvKioKICAgICAqIExvYWQgWE1MIGFuZCBwYXJzZSBpbnRvIHJlcXVlc3QgY29tcG9uZW50cwogICAgICoKICAgICAqIEBwYXJhbSBzdHJpbmcgJHJlcXVlc3QKICAgICAqIEByZXR1cm4gYm9vbGVhbiBUcnVlIG9uIHN1Y2Nlc3MsIGZhbHNlIGlmIGFuIGVycm9yIG9jY3VycmVkLgogICAgICovCiAgICBwdWJsaWMgZnVuY3Rpb24gbG9hZFhtbCgkcmVxdWVzdCkKICAgIHsKICAgICAgICBpZiAoIWlzX3N0cmluZygkcmVxdWVzdCkpIHsKICAgICAgICAgICAgJHRoaXMtPl9mYXVsdCA9IG5ldyBaZW5kX1htbFJwY19GYXVsdCg2MzUpOwogICAgICAgICAgICAkdGhpcy0+X2ZhdWx0LT5zZXRFbmNvZGluZygkdGhpcy0+Z2V0RW5jb2RpbmcoKSk7CiAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICB9CgogICAgICAgIHRyeSB7CiAgICAgICAgICAgICR4bWwgPSBuZXcgU2ltcGxlWE1MRWxlbWVudCgkcmVxdWVzdCk7CiAgICAgICAgfSBjYXRjaCAoRXhjZXB0aW9uICRlKSB7CiAgICAgICAgICAgIC8vIE5vdCB2YWxpZCBYTUwKICAgICAgICAgICAgJHRoaXMtPl9mYXVsdCA9IG5ldyBaZW5kX1htbFJwY19GYXVsdCg2MzEpOwogICAgICAgICAgICAkdGhpcy0+X2ZhdWx0LT5zZXRFbmNvZGluZygkdGhpcy0+Z2V0RW5jb2RpbmcoKSk7CiAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICB9CgogICAgICAgIC8vIENoZWNrIGZvciBtZXRob2QgbmFtZQogICAgICAgIGlmIChlbXB0eSgkeG1sLT5tZXRob2ROYW1lKSkgewogICAgICAgICAgICAvLyBNaXNzaW5nIG1ldGhvZCBuYW1lCiAgICAgICAgICAgICR0aGlzLT5fZmF1bHQgPSBuZXcgWmVuZF9YbWxScGNfRmF1bHQoNjMyKTsKICAgICAgICAgICAgJHRoaXMtPl9mYXVsdC0+c2V0RW5jb2RpbmcoJHRoaXMtPmdldEVuY29kaW5nKCkpOwogICAgICAgICAgICByZXR1cm4gZmFsc2U7CiAgICAgICAgfQoKICAgICAgICAkdGhpcy0+X21ldGhvZCA9IChzdHJpbmcpICR4bWwtPm1ldGhvZE5hbWU7CgogICAgICAgIC8vIENoZWNrIGZvciBwYXJhbWV0ZXJzCiAgICAgICAgaWYgKCFlbXB0eSgkeG1sLT5wYXJhbXMpKSB7CiAgICAgICAgICAgICR0eXBlcyA9IGFycmF5KCk7CiAgICAgICAgICAgICRhcmd2ICA9IGFycmF5KCk7CiAgICAgICAgICAgIGZvcmVhY2ggKCR4bWwtPnBhcmFtcy0+Y2hpbGRyZW4oKSBhcyAkcGFyYW0pIHsKICAgICAgICAgICAgICAgIGlmICghaXNzZXQoJHBhcmFtLT52YWx1ZSkpIHsKICAgICAgICAgICAgICAgICAgICAkdGhpcy0+X2ZhdWx0ID0gbmV3IFplbmRfWG1sUnBjX0ZhdWx0KDYzMyk7CiAgICAgICAgICAgICAgICAgICAgJHRoaXMtPl9mYXVsdC0+c2V0RW5jb2RpbmcoJHRoaXMtPmdldEVuY29kaW5nKCkpOwogICAgICAgICAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAgICAgICAgICAgIH0KCiAgICAgICAgICAgICAgICB0cnkgewogICAgICAgICAgICAgICAgICAgICRwYXJhbSAgID0gWmVuZF9YbWxScGNfVmFsdWU6OmdldFhtbFJwY1ZhbHVlKCRwYXJhbS0+dmFsdWUsIFplbmRfWG1sUnBjX1ZhbHVlOjpYTUxfU1RSSU5HKTsKICAgICAgICAgICAgICAgICAgICAkdHlwZXNbXSA9ICRwYXJhbS0+Z2V0VHlwZSgpOwogICAgICAgICAgICAgICAgICAgICRhcmd2W10gID0gJHBhcmFtLT5nZXRWYWx1ZSgpOwogICAgICAgICAgICAgICAgfSBjYXRjaCAoRXhjZXB0aW9uICRlKSB7CiAgICAgICAgICAgICAgICAgICAgJHRoaXMtPl9mYXVsdCA9IG5ldyBaZW5kX1htbFJwY19GYXVsdCg2MzYpOwogICAgICAgICAgICAgICAgICAgICR0aGlzLT5fZmF1bHQtPnNldEVuY29kaW5nKCR0aGlzLT5nZXRFbmNvZGluZygpKTsKICAgICAgICAgICAgICAgICAgICByZXR1cm4gZmFsc2U7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0KCiAgICAgICAgICAgICR0aGlzLT5fdHlwZXMgID0gJHR5cGVzOwogICAgICAgICAgICAkdGhpcy0+X3BhcmFtcyA9ICRhcmd2OwogICAgICAgIH0KCiAgICAgICAgJHRoaXMtPl94bWwgPSAkcmVxdWVzdDsKCiAgICAgICAgcmV0dXJuIHRydWU7CiAgICB9CgogICAgLyoqCiAgICAgKiBEb2VzIHRoZSBjdXJyZW50IHJlcXVlc3QgY29udGFpbiBlcnJvcnMgYW5kIHNob3VsZCBpdCByZXR1cm4gYSBmYXVsdAogICAgICogcmVzcG9uc2U/CiAgICAgKgogICAgICogQHJldHVybiBib29sZWFuCiAgICAgKi8KICAgIHB1YmxpYyBmdW5jdGlvbiBpc0ZhdWx0KCkKICAgIHsKICAgICAgICByZXR1cm4gJHRoaXMtPl9mYXVsdCBpbnN0YW5jZW9mIFplbmRfWG1sUnBjX0ZhdWx0OwogICAgfQoKICAgIC8qKgogICAgICogUmV0cmlldmUgdGhlIGZhdWx0IHJlc3BvbnNlLCBpZiBhbnkKICAgICAqCiAgICAgKiBAcmV0dXJuIG51bGx8WmVuZF9YbWxScGNfRmF1bHQKICAgICAqLwogICAgcHVibGljIGZ1bmN0aW9uIGdldEZhdWx0KCkKICAgIHsKICAgICAgICByZXR1cm4gJHRoaXMtPl9mYXVsdDsKICAgIH0KCiAgICAvKioKICAgICAqIFJldHJpZXZlIG1ldGhvZCBwYXJhbWV0ZXJzIGFzIFhNTFJQQyB2YWx1ZXMKICAgICAqCiAgICAgKiBAcmV0dXJuIGFycmF5CiAgICAgKi8KICAgIHByb3RlY3RlZCBmdW5jdGlvbiBfZ2V0WG1sUnBjUGFyYW1zKCkKICAgIHsKICAgICAgICAkcGFyYW1zID0gYXJyYXkoKTsKICAgICAgICBpZiAoaXNfYXJyYXkoJHRoaXMtPl94bWxScGNQYXJhbXMpKSB7CiAgICAgICAgICAgIGZvcmVhY2ggKCR0aGlzLT5feG1sUnBjUGFyYW1zIGFzICRwYXJhbSkgewogICAgICAgICAgICAgICAgJHZhbHVlID0gJHBhcmFtWyd2YWx1ZSddOwogICAgICAgICAgICAgICAgJHR5cGUgID0gaXNzZXQoJHBhcmFtWyd0eXBlJ10pID8gJHBhcmFtWyd0eXBlJ10gOiBaZW5kX1htbFJwY19WYWx1ZTo6QVVUT19ERVRFQ1RfVFlQRTsKCiAgICAgICAgICAgICAgICBpZiAoISR2YWx1ZSBpbnN0YW5jZW9mIFplbmRfWG1sUnBjX1ZhbHVlKSB7CiAgICAgICAgICAgICAgICAgICAgJHZhbHVlID0gWmVuZF9YbWxScGNfVmFsdWU6OmdldFhtbFJwY1ZhbHVlKCR2YWx1ZSwgJHR5cGUpOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgJHBhcmFtc1tdID0gJHZhbHVlOwogICAgICAgICAgICB9CiAgICAgICAgfQoKICAgICAgICByZXR1cm4gJHBhcmFtczsKICAgIH0KCiAgICAvKioKICAgICAqIENyZWF0ZSBYTUwgcmVxdWVzdAogICAgICoKICAgICAqIEByZXR1cm4gc3RyaW5nCiAgICAgKi8KICAgIHB1YmxpYyBmdW5jdGlvbiBzYXZlWG1sKCkKICAgIHsKICAgICAgICAkYXJncyAgID0gJHRoaXMtPl9nZXRYbWxScGNQYXJhbXMoKTsKICAgICAgICAkbWV0aG9kID0gJHRoaXMtPmdldE1ldGhvZCgpOwoKICAgICAgICAkZ2VuZXJhdG9yID0gWmVuZF9YbWxScGNfVmFsdWU6OmdldEdlbmVyYXRvcigpOwogICAgICAgICRnZW5lcmF0b3ItPm9wZW5FbGVtZW50KCdtZXRob2RDYWxsJykKICAgICAgICAgICAgICAgICAgLT5vcGVuRWxlbWVudCgnbWV0aG9kTmFtZScsICRtZXRob2QpCiAgICAgICAgICAgICAgICAgIC0+Y2xvc2VFbGVtZW50KCdtZXRob2ROYW1lJyk7CgogICAgICAgIGlmIChpc19hcnJheSgkYXJncykgJiYgY291bnQoJGFyZ3MpKSB7CiAgICAgICAgICAgICRnZW5lcmF0b3ItPm9wZW5FbGVtZW50KCdwYXJhbXMnKTsKCiAgICAgICAgICAgIGZvcmVhY2ggKCRhcmdzIGFzICRhcmcpIHsKICAgICAgICAgICAgICAgICRnZW5lcmF0b3ItPm9wZW5FbGVtZW50KCdwYXJhbScpOwogICAgICAgICAgICAgICAgJGFyZy0+Z2VuZXJhdGVYbWwoKTsKICAgICAgICAgICAgICAgICRnZW5lcmF0b3ItPmNsb3NlRWxlbWVudCgncGFyYW0nKTsKICAgICAgICAgICAgfQogICAgICAgICAgICAkZ2VuZXJhdG9yLT5jbG9zZUVsZW1lbnQoJ3BhcmFtcycpOwogICAgICAgIH0KICAgICAgICAkZ2VuZXJhdG9yLT5jbG9zZUVsZW1lbnQoJ21ldGhvZENhbGwnKTsKCiAgICAgICAgcmV0dXJuICRnZW5lcmF0b3ItPmZsdXNoKCk7CiAgICB9CgogICAgLyoqCiAgICAgKiBSZXR1cm4gWE1MIHJlcXVlc3QKICAgICAqCiAgICAgKiBAcmV0dXJuIHN0cmluZwogICAgICovCiAgICBwdWJsaWMgZnVuY3Rpb24gX190b1N0cmluZygpCiAgICB7CiAgICAgICAgcmV0dXJuICR0aGlzLT5zYXZlWE1MKCk7CiAgICB9Cn0K" does not exist</string>
base64的解密下知道了。

修复方案:

http://zone.wooyun.org/content/508 利用+修复
自己看zendframework文档设置好爆错问题。
WooYun: 图虫网存储xss
求礼物~有了礼物有激情继续帮你们找安全问题.

版权声明:转载请注明来源 _Evil@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2012-07-10 13:50

厂商回复:

谢谢,我们用的Zend Framework版本比较老,没有时间升级。
这个问题我们会找时间解决的。

最新状态:

暂无


漏洞评价:

评论

  1. 2012-07-07 23:51 | 数据流 ( 普通白帽子 | Rank:716 漏洞数:88 | all or nothing,now or never)

    命令执行?

  2. 2012-07-08 05:32 | 店小弎 ( 实习白帽子 | Rank:93 漏洞数:13 | 关注web安全)

    还在玩这个

  3. 2012-07-08 10:33 | _Evil ( 普通白帽子 | Rank:418 漏洞数:59 | 万事无他,唯手熟尔。农民也会编程,别指望天...)

    @数据流 @店小弎 你们都错了不是struts不是thinkphp

  4. 2012-07-20 15:11 | imlonghao ( 普通白帽子 | Rank:730 漏洞数:74 )

    漏洞证明亮瞎了。。

  5. 2012-08-21 18:26 | imlonghao ( 普通白帽子 | Rank:730 漏洞数:74 )

    ZEND....