当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098094

漏洞标题:中国环境检测总站任意文件下载漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 假面,

提交时间:2015-02-27 16:54

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:任意文件遍历/下载

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-27: 细节已通知厂商并且等待厂商处理中
2015-03-04: 厂商已经确认,细节仅向厂商公开
2015-03-14: 细节向核心白帽子及相关领域专家公开
2015-03-24: 细节向普通白帽子公开
2015-04-03: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

http://www.cnemc.cn/news/downLoad.jsp?filePath=

详细说明:

http://www.cnemc.cn/news/downLoad.jsp?filePath=
http://www.cnemc.cn/news/downLoad.jsp?filePath=news/downLoad.jsp

漏洞证明:

<%@ page contentType="text/html;charset=gbk"%>
<%@ page import="java.io.File"%>
<%@ page import="java.io.*"%>
<%@ page import="java.net.*"%>
<%

String filePath = request.getParameter("filePath");
String root = request.getRealPath("/");
String fileName = "";
filePath=filePath.replaceAll("..//", "");
filePath=filePath.replaceAll("WEB-INF", "");
String describe = request.getParameter("describe");
File fileInfo = new File(root+filePath);
if (!fileInfo.exists()) {
%>
<script type="text/javascript">
alert("下载文件不存在!");
window.close();
</script>

<%
return;
}else{

fileName = fileInfo.getName();
System.out.println(fileInfo.getAbsolutePath());
}
if(fileName.equals("")){
%>
<script type="text/javascript">
alert("下载文件不存在!");
window.close();
</script>

<%
return;
}
String _fileName = fileName;
StringBuffer s = new StringBuffer(URLEncoder.encode(_fileName,"UTF-8"));
_fileName = s.toString().replaceAll("[+]","%20");
response.reset();
//后缀名
String fileExt = "";
int k = _fileName.substring(0,_fileName.indexOf(".")).length();
fileExt = _fileName.substring(k,_fileName.length());
String title = "";
if(!("").equals(describe)){
title = describe+fileExt;
}else{
title = fileName.substring(fileName.indexOf("."),fileName.length());
}
if(title.indexOf("docx") >0){

response.setContentType("application/vnd.openxmlformats-officedocument.wordprocessingml.document; charset=GBK"); //linux
}else if(title.indexOf("xlsx") >0){
response.setContentType("application/vnd.openxmlformats-officedocument.spreadsheetml.sheet; charset=GBK"); //linux
}else if(title.indexOf("pptx")>0){
response.setContentType("application/vnd.openxmlformats-officedocument.presentationml.presentation; charset=GBK"); //linux
}else if(title.indexOf("pdf") >0){
response.setContentType("application/pdf"); //linux
}
else{
response.setContentType("application/octet-stream; charset=GBK"); //linux
}
//response.addHeader("Content-Disposition", "attachment; filename=\""+DateProcess.getNum()+title+"\"");
if (fileName.length() > 22) {
String guessCharset = "gb2312";
_fileName = new String(fileName.getBytes(guessCharset), "ISO8859-1");
}
response.addHeader("Content-Disposition", "attachment; filename="+ new String(title.getBytes("GBK"), "ISO-8859-1"));
if(title.indexOf("pdf") >0){
response.setHeader("Content-Disposition", "inline; filename="+new String(title.getBytes("GBK"), "ISO-8859-1"));
}
OutputStream output = null;
FileInputStream fis = null;
try{

File f = new File(root + filePath);
output = response.getOutputStream();
fis = new FileInputStream(f);

byte[] b = new byte[(int)f.length()];

int i = 0;
while((i = fis.read(b)) > 0){
output.write(b, 0, i);
}
output.flush();
}
catch(Exception e){
e.printStackTrace();
}
finally{
if(fis != null){
fis.close();
fis = null;
}
if(output != null){
output.close();
output = null;
}
response.flushBuffer();
out.clear();
out = pageContext.pushBody();
}
%>

修复方案:

你们比我懂~

版权声明:转载请注明来源 假面,@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-03-04 09:11

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无


漏洞评价:

评论