当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106885

漏洞标题:EduSoho 最新版两处泄露accessKey和secretKey

相关厂商:edusoho.com

漏洞作者: izy

提交时间:2015-04-13 18:16

修复时间:2015-07-14 09:28

公开时间:2015-07-14 09:28

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-13: 细节已通知厂商并且等待厂商处理中
2015-04-15: 厂商已经确认,细节仅向厂商公开
2015-04-18: 细节向第三方安全合作伙伴开放
2015-06-09: 细节向核心白帽子及相关领域专家公开
2015-06-19: 细节向普通白帽子公开
2015-06-29: 细节向实习白帽子公开
2015-07-14: 细节向公众公开

简要描述:

可在官网重新绑定,发送云短信,下载安装应用。

详细说明:

出现问题的地方在安装文件/start-install.php

<?php
use Composer\Autoload\ClassLoader;
require __DIR__.'/../../vendor/autoload.php';
$loader = new Twig_Loader_Filesystem(__DIR__ . '/templates');
$twig = new Twig_Environment($loader, array(
'cache' => false,
));
$twig->addGlobal('edusho_version', \Topxia\System::VERSION);
$step =intval(empty($_GET['step']) ? 0 : $_GET['step']);
$functionName = 'install_step' . $step;
$functionName();
use Topxia\Service\Common\ServiceKernel;
use Topxia\Service\User\CurrentUser;
use Topxia\Service\CloudPlatform\KeyApplier;
use Symfony\Component\HttpFoundation\ParameterBag;
function check_installed()
{
if (array_key_exists('nokey', $_GET)) {
setcookie('nokey', 1);
$_COOKIE['nokey'] = 1;
}
if (file_exists(__DIR__ . '/../../app/data/install.lock')) {
exit('already install.');
}
}
function install_step0()
{
check_installed();
global $twig;
echo $twig->render('step-0.html.twig', array('step' => 0));
}
function install_step1()
{
check_installed();
global $twig;
$pass = true;
$env = array();
$env['os'] = PHP_OS;
$env['phpVersion'] = PHP_VERSION;
$env['phpVersionOk'] = version_compare(PHP_VERSION, '5.3.0') >= 0;
$env['pdoMysqlOk'] = extension_loaded('pdo_mysql');
$env['uploadMaxFilesize'] = ini_get('upload_max_filesize');
$env['uploadMaxFilesizeOk'] = intval($env['uploadMaxFilesize']) >= 2;
$env['postMaxsize'] = ini_get('post_max_size');
$env['postMaxsizeOk'] = intval($env['postMaxsize']) >= 8;
$env['maxExecutionTime'] = ini_get('max_execution_time');
$env['maxExecutionTimeOk'] = ini_get('max_execution_time') >= 30;
$env['mbstringOk'] = extension_loaded('mbstring');
$env['gdOk'] = extension_loaded('gd');
$env['curlOk'] = extension_loaded('curl');

if (!$env['phpVersionOk'] or
!$env['pdoMysqlOk'] or
!$env['uploadMaxFilesizeOk'] or
!$env['postMaxsizeOk'] or
!$env['maxExecutionTimeOk'] or
!$env['mbstringOk'] or
!$env['curlOk'] or
!$env['gdOk']) {
$pass = false;
}
$paths = array(
'app/config/parameters.yml',
'app/data/udisk',
'app/data/private_files',
'web/files',
'app/cache',
'app/data',
'app/logs',
);
$checkedPaths = array();
foreach ($paths as $path) {
$checkedPath = __DIR__ . '/../../' . $path;
$checked = is_executable($checkedPath) && is_writable($checkedPath) && is_readable($checkedPath);
if (PHP_OS == 'WINNT') {
$checked = true;
}
if (!$checked) {
$pass = false;
}
$checkedPaths[$path] = $checked;
}
$safemode = ini_get('safe_mode');
if($safemode == 'On')
$pass = false;
echo $twig->render('step-1.html.twig', array(
'step' => 1,
'env' => $env,
'paths' => $checkedPaths,
'safemode' => $safemode,
'pass' => $pass
));
}
function install_step2()
{
check_installed();
}
function install_step3()
{
check_installed();
}
function install_step4()
{
global $twig;

$userAgent = 'EduSoho Install Client 1.0';
$connectTimeout = 10;
$timeout = 10;
$url = "http://open.edusoho.com/api/v1/block/two_dimension_code";
$curl = curl_init();
curl_setopt($curl, CURLOPT_USERAGENT, $userAgent);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, $connectTimeout);
curl_setopt($curl, CURLOPT_TIMEOUT, $timeout);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_URL, $url );
$response = curl_exec($curl);
curl_close($curl);
$response = json_decode($response, true);
echo $twig->render('step-4.html.twig', array(
'step' => 4,
"response"=>$response,
));
}
/**
* 生产Key
*/
function install_step999()
{
if (empty($_COOKIE['nokey'])) {
session_start();
$connection = _create_connection();
$serviceKernel = ServiceKernel::create('prod', true);
$serviceKernel->setParameterBag(new ParameterBag(array(
'kernel' => array(
'root_dir' => realpath(__DIR__ . '/../../app'),
)
)));
$serviceKernel->setConnection($connection);
$init = new SystemInit();
$key = $init->initKey();
echo json_encode($key);
} else {
echo json_encode(array(
'accessKey' => '__NOKEY__',
'secretKey' => '__NOKEY__',
));
}
}


程序有判断是否安装过,但是遗漏了两处;
第一处在step4、第二处在step999;
这两个函数都没有限制访问、也没有check_installed。
看到step4和step999直接输出了accessKey和secretKey。

echo $twig->render('step-4.html.twig', array(
'step' => 4,
"response"=>$response,
));


访问测试一下

屏幕快照 2015-04-09 下午5.19.00.png

屏幕快照 2015-04-09 下午5.18.32.png


登陆官网重新授权:
点击重新绑定后,绑定另外一个站的授权成功

屏幕快照 2015-04-09 下午5.20.55.png


然后我们就可以给网站用户发送云短信,安装应用了

屏幕快照 2015-04-09 下午5.22.29.png


漏洞证明:

屏幕快照 2015-04-09 下午5.19.00.png

修复方案:

访问限制

版权声明:转载请注明来源 izy@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-04-15 09:26

厂商回复:

感谢izy

最新状态:

2015-04-15:已对所有商业客户进行了修复。并更新了升级包。


漏洞评价:

评论