当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2014-069782
漏洞标题:
B2Bbuilder设计缺陷导致整站重装
相关厂商:
B2Bbuilder
漏洞作者:
飞扬风
提交时间:
2014-07-26 15:12
修复时间:
2014-10-24 15:14
公开时间:
2014-10-24 15:14
漏洞类型:
设计缺陷/逻辑错误
危害等级:
自评Rank:
20
漏洞状态:
已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2014-07-26: 细节已通知厂商并且等待厂商处理中
2014-07-31: 厂商已经确认,细节仅向厂商公开
2014-08-03: 细节向第三方安全合作伙伴开放
2014-09-24: 细节向核心白帽子及相关领域专家公开
2014-10-04: 细节向普通白帽子公开
2014-10-14: 细节向实习白帽子公开
2014-10-24: 细节向公众公开

简要描述:

B2Bbuilder设计缺陷导致整站重装

详细说明:

B2Bbuilder在安装后,install/install.php文件中未设计安装验证
导致可以重装系统,代码如下

<?php 
/**
 * 安装程序
 * @copyright Copyright (C) 2011 中国万网互联网解决方案事业部
 * @author bruce lee  liyongqing2008@gmail.com
 * @access public
 * @package system
*/
//设置当前系统标识
define('IN_HICHINA', TRUE);
//获取动作参数
$action = $_GET['action'];
//错误代码配置
$a_error =array
(
    "101"  => array("msg" => "网络传输错误", "description" => "Get发送或接收数据失败"),
    "102"  => array("msg" => "参数不完整", "description" => "无参数或参数个数不对"),
    "103"  => array("msg" => "身份不合法", "description" => "无权限调用接口"),
    "104"  => array("msg" => "解压缩失败", "description" => "压缩程序和解压缩程序不匹配"),
    "105"  => array("msg" => "配置文件未找到", "description" => "配置文件未找到"),
    "106"  => array("msg" => "配置文件内容不合法", "description" => "配置文件内容不合法"),
    "107"  => array("msg" => "请求地址无效", "description" => "独立应用接口文件不存在或无法打开"),
    "108"  => array("msg" => "配置文件无法修改", "description" => "配置文件无法修改"),
    "111"  => array("msg" => "参数不正确", "description" => "参数长度超长或类型不匹配"),
    "112"  => array("msg" => "接口已失效", "description" => "接口已超时"),
    "113"  => array("msg" => "安装失败", "description" => "安装失败"),
    "114"  => array("msg" => "运行检测失败", "description" => "检测到应用无法正常执行"),
    "121"  => array("msg" => "安装应用失败", "description" => "安装应用失败"),
    "122"  => array("msg" => "安装结果检测失败", "description" => "应用安装成功但运行检测失败"),
    "131"  => array("msg" => "无法连接数据库或数据库服务器无响应", "description" => "无法连接数据库或数据库服务器无响应"),
    "132"  => array("msg" => "添加账户失败", "description" => "添加管理员账户失败"),
    "200"  => array("msg" => "ok", "description" => "ok")
);
//输出XML
function outputXml($code)
{
	global $a_error;
	header("content-type: text/xml");
	echo '<?xml version="1.0" encoding="utf-8"?>
	<rsp>
	<code>' . $code . '<code>
	<msg>' . $a_error[$code]['msg'] . '</msg>
	</rsp>';
	exit();
}
//安装应用
//http://localhost/b2b/install/install.php?action=setup&dbhost=localhost&port=3306&dbname=hichina001_db&dbuser=root&dbpassword=root&tableprefix=b2bbuilder_&guid=6F9619FF-8B86-D011-B42D-00C04FC964FF
if($action == "setup") //只判断action,没有任何验证,直接进入重装
{
	//检查参数是否完整
	$dbhost = $_GET['dbhost'];
	$port = $_GET['port'];
	$dbname = $_GET['dbname'];
	$dbuser = $_GET['dbuser'];
	$dbpassword = $_GET['dbpassword'];
	$tableprefix = $_GET['tableprefix'];
	$guid = $_GET['guid'];
	if(!$port)
		$port = 3306;
	if ($dbhost && $port && $dbname && $dbuser && $dbpassword && $tableprefix && $guid)
	{
		file_put_contents("db.txt", $dbhost.'|'.$port .'|'.$dbname .'|'.$dbuser .'|'.$dbpassword .'|'.$tableprefix.'|'.$guid);
		$link = mysql_connect($dbhost . ":" . $port, $dbuser, $dbpassword);
		if($link)
		{
			mysql_query("CREATE DATABASE IF NOT EXISTS `".$dbname."`;", $link);

漏洞证明:

B2Bbuilder正常安装后访问/install/index.php显示如下

t0140431fde8c060e41.jpg


该页面处设置了系统重装的验证,可以install.php就没有了
直接访问/install/install.php?action=setup&dbhost=localhost&port=3306&dbname=数据库名称&dbuser=数据库用户名&dbpassword=数据库密码&tableprefix=b2bbuilder_&guid=6F9619FF-8B86-D011-B42D-00C04FC964FF就重装整站

t01d5c81c450150fb64.jpg

修复方案:

install.php页面加入重装验证
即判断.lock文件是否存在

版权声明:转载请注明来源 飞扬风@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2014-07-31 10:39

厂商回复:

CNVD先行确认(暂未进行本地复现或找到实例),由于有较高的认证前提,仅作为默认配置风险进行评分,rank 8

最新状态:

暂无