2014-07-26: 细节已通知厂商并且等待厂商处理中 2014-07-31: 厂商已经确认,细节仅向厂商公开 2014-08-03: 细节向第三方安全合作伙伴开放 2014-09-24: 细节向核心白帽子及相关领域专家公开 2014-10-04: 细节向普通白帽子公开 2014-10-14: 细节向实习白帽子公开 2014-10-24: 细节向公众公开
B2Bbuilder设计缺陷导致整站重装
B2Bbuilder在安装后,install/install.php文件中未设计安装验证导致可以重装系统,代码如下
<?php /** * 安装程序 * @copyright Copyright (C) 2011 中国万网互联网解决方案事业部 * @author bruce lee liyongqing2008@gmail.com * @access public * @package system*///设置当前系统标识define('IN_HICHINA', TRUE);//获取动作参数$action = $_GET['action'];//错误代码配置$a_error =array( "101" => array("msg" => "网络传输错误", "description" => "Get发送或接收数据失败"), "102" => array("msg" => "参数不完整", "description" => "无参数或参数个数不对"), "103" => array("msg" => "身份不合法", "description" => "无权限调用接口"), "104" => array("msg" => "解压缩失败", "description" => "压缩程序和解压缩程序不匹配"), "105" => array("msg" => "配置文件未找到", "description" => "配置文件未找到"), "106" => array("msg" => "配置文件内容不合法", "description" => "配置文件内容不合法"), "107" => array("msg" => "请求地址无效", "description" => "独立应用接口文件不存在或无法打开"), "108" => array("msg" => "配置文件无法修改", "description" => "配置文件无法修改"), "111" => array("msg" => "参数不正确", "description" => "参数长度超长或类型不匹配"), "112" => array("msg" => "接口已失效", "description" => "接口已超时"), "113" => array("msg" => "安装失败", "description" => "安装失败"), "114" => array("msg" => "运行检测失败", "description" => "检测到应用无法正常执行"), "121" => array("msg" => "安装应用失败", "description" => "安装应用失败"), "122" => array("msg" => "安装结果检测失败", "description" => "应用安装成功但运行检测失败"), "131" => array("msg" => "无法连接数据库或数据库服务器无响应", "description" => "无法连接数据库或数据库服务器无响应"), "132" => array("msg" => "添加账户失败", "description" => "添加管理员账户失败"), "200" => array("msg" => "ok", "description" => "ok"));//输出XMLfunction outputXml($code){ global $a_error; header("content-type: text/xml"); echo '<?xml version="1.0" encoding="utf-8"?> <rsp> <code>' . $code . '<code> <msg>' . $a_error[$code]['msg'] . '</msg> </rsp>'; exit();}//安装应用//http://localhost/b2b/install/install.php?action=setup&dbhost=localhost&port=3306&dbname=hichina001_db&dbuser=root&dbpassword=root&tableprefix=b2bbuilder_&guid=6F9619FF-8B86-D011-B42D-00C04FC964FFif($action == "setup") //只判断action,没有任何验证,直接进入重装{ //检查参数是否完整 $dbhost = $_GET['dbhost']; $port = $_GET['port']; $dbname = $_GET['dbname']; $dbuser = $_GET['dbuser']; $dbpassword = $_GET['dbpassword']; $tableprefix = $_GET['tableprefix']; $guid = $_GET['guid']; if(!$port) $port = 3306; if ($dbhost && $port && $dbname && $dbuser && $dbpassword && $tableprefix && $guid) { file_put_contents("db.txt", $dbhost.'|'.$port .'|'.$dbname .'|'.$dbuser .'|'.$dbpassword .'|'.$tableprefix.'|'.$guid); $link = mysql_connect($dbhost . ":" . $port, $dbuser, $dbpassword); if($link) { mysql_query("CREATE DATABASE IF NOT EXISTS `".$dbname."`;", $link);
B2Bbuilder正常安装后访问/install/index.php显示如下
该页面处设置了系统重装的验证,可以install.php就没有了直接访问/install/install.php?action=setup&dbhost=localhost&port=3306&dbname=数据库名称&dbuser=数据库用户名&dbpassword=数据库密码&tableprefix=b2bbuilder_&guid=6F9619FF-8B86-D011-B42D-00C04FC964FF就重装整站
install.php页面加入重装验证即判断.lock文件是否存在
危害等级:中
漏洞Rank:8
确认时间:2014-07-31 10:39
CNVD先行确认(暂未进行本地复现或找到实例),由于有较高的认证前提,仅作为默认配置风险进行评分,rank 8
暂无
都是一个公司 为毛我mallbuilder 重装都不上首页。
@ ′ 雨。这个我也搞不懂啊
唉。。说好的?wordpress getshell呢?