SiteEngine 博卡网站引擎管理系统5.1.0 存在文件上传漏洞

添加时间:
2010-10-04

系统编号:
WAVDB-01704

影响版本:
SiteEngine CMS 5.1.0

程序介绍:

网站引擎(SiteEngine,全称：博卡网站引擎管理系统)，软件基于PHP程序和Mysql数据库开发，采用B/S体系结构。

漏洞分析:

首先先看第一段代码.是对文件后缀进行检查的。

{
$attach['name'] = $filename = str_replace( " ", "", $attach['name'] ); //去掉文件名的空格
$attach['ext'] = $extension = strtolower( fileext( $attach['name'] ) ); //取得文件的后缀名并变成小写
//转义文件后缀名的正则表达式字符，并匹配合法的文件后缀名
if ( $attachextensions && !preg_match( "/(^|\\s|,)".preg_quote( $attach['ext'], "/" )."(\$|\\s|,)/i", $attachextensions ) )
{
//如果不匹配 majun1988 good
message( $GLOBALS['l_site']['uploadexterror'], $referer );
}

这段代码我们可以看出SiteEngine对上传的文件后缀进行检查.符合$attachextensions即可上传,否则提示错误。

再看第二段代码：

//文件名处理
$filename = substr( $filename, 0, strlen( $filename ) - strlen( $extension ) - 1 ); //取出文件的后缀名之后得出真实的文件名
if ( preg_match( "/([-]|\\%)+/s", $filename ) ) //如果文件名存在非法字符司徒生辰快乐
{
$filename = str_replace( "/", "", base64_encode( substr( $filename, 0, 20 ) ) ); //取文件名前20位数，用base64进行编码，然后把转义符去掉
}
if ( $avatar ) //如果设置了某个头像的参数
{
//隔一个标点符号就将 .（点）转化为 _ （下划线）
$attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", $avatar.".gif" );
}
else if ( $random == 1 ) //随机参数为1
{
$attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", substr( $filename, 0, 64 )."_".random( 6 ).".".$extension ); //随机生成文件名
}
else
{
$attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", substr( $filename, 0, 64 ).".".$extension );
}

第二段代码我们可以看出.上传文件文件名如含有非法字符.即取文件名前20位base64编码。如上传后缀为php.php3.php4.jsp等文件.就会将文件前的第一个"."转换成"_"

SiteEngine对上传文件的处理做得非常好。这种做法存在漏洞

首先第一点.第一段代码中的$attachextensions我寻遍了所有文件都找不到。那他的文件后缀检查就形同虚设.

漏洞利用:

<?php
/*********************/
/* */
/* Version : 5.1.0 */
/* Author : RM */
/* Comment : 071223 */
/* */
/*********************/
function disuploadedfile( $file )
{
return function_exists( "is_uploaded_file" ) && is_uploaded_file( $file ) ? TRUE : FALSE;
}
function upload( $dir = "", $thumb = "", $avatar = "", $allowed = array( ), $random = 1, $varname = "photo" )
{
global $db;
global $tablepre;
global $extension;
global $typemaxsize;
global $allowsetattachperm;
global $referer;
global $attachperm;
global $module;
global $classid;
global $config_watermark;
global $config_watermarkfont;
global $attachsave;
global $attachdir;
global $maxattachsize;
global $maxsizeperday;
global $attachextensions;
global $site_engine_root;
global $resizewidth;
global $resizeheight;
global $uploaddir;
global $sesettings;
$attachments = $attacharray = array( );
if ( is_array( $_FILES ) && !emptyempty( $_FILES ) ) //≈–∂œ…œ¥´Œƒº˛≤Œ ˝Œ™ ˝◊È
{
foreach ( $GLOBALS['_FILES'] as $k => $v ) //»°µ√»´æ÷…œ¥´Œƒº˛£¨∂‡Œƒº˛¥¶¿Ì
{
foreach ( $GLOBALS['_FILES'][$k] as $key => $var )
{
if ( isset( $_FILES[$k] ) && is_array( $_FILES[$k] ) && $_FILES[$k]['error'] != 4 )
{
if ( is_array( $var ) )
{
foreach ( $var as $id => $val ) //∂‡Œƒº˛…œ¥´
{
$attachments[$k][$id][$key] = $val;
$attachments[$k][$id]['module'] = $k;
$attachments[$k][$id]['description'] = $_POST[$k."description"][$id];
}
}
else //µ•Œƒº˛…œ¥´
{
$attachments[$k][0] = $v;
$attachments[$k][0]['module'] = $k;
$attachments[$k][0]['description'] = $_POST[$k."description"][$id];
}
}
}
}
}
$newattachments = array( );
if ( is_array( $attachments ) ) //—È÷§ «∑ÒŒ™ ˝◊È
{
foreach ( $attachments as $key => $value )
{
foreach ( $value as $k => $v )
{
$newattachments[] = $v; //…œ¥´±‰¡ø◊È∫œ≥… ˝◊È
}
}
}
foreach ( $newattachments as $key => $attach )
{
$attach_saved = false;
if ( !( $attach['tmp_name'] != "none" && $attach['tmp_name'] && $attach['name'] ) ) //ºŸ»Á…œ¥´Œƒº˛≤ªŒ™ø’
{
}
else
{
$attach['name'] = $filename = str_replace( " ", "", $attach['name'] ); //»•µÙŒƒº˛√˚µƒø’∏Ò
$attach['ext'] = $extension = strtolower( fileext( $attach['name'] ) ); //»°µ√Œƒº˛µƒ∫Û◊∫√˚≤¢±‰≥…–°–¥
//◊™“ÂŒƒº˛∫Û◊∫√˚µƒ’˝‘Ú±Ì¥Ô Ω◊÷∑˚£¨≤¢∆•≈‰∫œ∑®µƒŒƒº˛∫Û◊∫√˚
if ( $attachextensions && !preg_match( "/(^|\\s|,)".preg_quote( $attach['ext'], "/" )."(\$|\\s|,)/i", $attachextensions ) )
{
//»Áπ˚≤ª∆•≈‰
message( $GLOBALS['l_site']['uploadexterror'], $referer );
}
//—È÷§Œƒº˛¥Û–°
if ( !$attach['size'] || $maxattachsize && $maxattachsize < $attach['size'] )
{
message( $GLOBALS['l_site']['toobig'], $referer );
}
if ( $attachsave ) //»´æ÷ø™πÿ£¨π¿º∆ «‘ –Ì¥¢¥Ê
{
if ( $dir ) //»Áπ˚…Ë÷√¡À¥¢¥Êƒø¬º
{
$attach_subdir = $dir;
}
else
{
{
case 1 :
$attach_subdir = $module;
break;
case 2 :
$attach_subdir = "ext_".$extension;
break;
case 3 :
$attach_subdir = "month_".date( "ym" );
break;
case 4 :
$attach_subdir = "day_".date( "ymd" );
}
}
$attach_dir = $attachdir."/".$attach_subdir; //µ√µΩ¥Ê¥¢µƒæ¯∂‘¬∑æ∂
if ( !is_dir( $attachdir."/".$module ) ) //≈–∂œ¥¢¥Êƒ£ Ω1 µƒæ¯∂‘¬∑æ∂
{
@mkdir( $attachdir."/".$module, 511 );
@chmod( $$attachdir."/".$module, 511 );
@fclose( @fopen( $attachdir."/".$module."/index.htm", "w" ) );
if ( $module == "photo" && !is_dir( $site_engine_root.$uploaddir."/photo/thumbs" ) )
{
@mkdir( $site_engine_root.$uploaddir."/photo/thumbs", 511 );
}
}
if ( !is_dir( $attach_dir ) ) //≈–∂œ¥¢¥Êƒ£ Ω2 µƒæ¯∂‘¬∑æ∂
{
@mkdir( $attach_dir, 511 );
@chmod( $attach_dir, 511 );
@fclose( @fopen( $attach_dir."/index.htm", "w" ) );
}
$attach['attachment'] = $attach_subdir."/";
}
else //≤ª‘ –Ì¥Ê¥¢µƒ«Èøˆ£¨ ‹”∞œÏƒø¬ºŒ™ø’
{
$attach['attachment'] = "";
}
//Œƒº˛√˚¥¶¿Ì
$filename = substr( $filename, 0, strlen( $filename ) - strlen( $extension ) - 1 ); //»°≥ˆŒƒº˛µƒ∫Û◊∫√˚÷Æ∫Û µ√≥ˆ’Ê µµƒŒƒº˛√˚
if ( preg_match( "/([-ˇ]|\\%)+/s", $filename ) ) //»Áπ˚Œƒº˛√˚¥Ê‘⁄∑«∑®◊÷∑˚
{
$filename = str_replace( "/", "", base64_encode( substr( $filename, 0, 20 ) ) ); //»°Œƒº˛√˚«∞20Œª ˝£¨”√base64Ω¯––±‡¬Î£¨»ª∫Û∞—◊™“Â∑˚»•µÙ
}
if ( $avatar ) //»Áπ˚…Ë÷√¡Àƒ≥∏ˆÕ∑œÒµƒ≤Œ ˝
{
$attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", $avatar.".gif" );
}
else if ( $random == 1 ) //ÀÊª˙≤Œ ˝Œ™1
{
$attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", substr( $filename, 0, 64 )."_".random( 6 ).".".$extension ); //ÀÊª˙…˙≥…Œƒº˛√˚
}
else
{
$attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", substr( $filename, 0, 64 ).".".$extension );
}
$target = $attachdir."/".stripslashes( $attach['attachment'] );
if ( copy( $attach['tmp_name'], $target ) || function_exists( "move_uploaded_file" ) && move_uploaded_file( $attach['tmp_name'], $target ) )
{
$attach_saved = true;
}
if ( !$attach_saved && is_readable( $attach['tmp_name'] ) )
{
@$fp = @fopen( $attach, "rb" );
@flock( $fp, 2 );
@$attachedfile = @fread( $fp, $attach['size'] );
@fclose( $fp );
@$fp = @fopen( $target, "wb" );
@flock( $fp, 2 );
if ( @fwrite( $fp, $attachedfile ) )
{
$attach_saved = true;
}
@chmod( $site_engine_root.$uploaddir.$attach['attachment'], 511 );
@fclose( $fp );
}
if ( $attach_saved )
{
if ( is_array( $attach ) && $thumb == 1 && $attach['size'] )
{
do
{
require_once( $site_engine_root."lib/photo.php" );
$exif = new phpexifreader( $site_engine_root.$uploaddir.$attach['attachment'] );
$exif->processfile( );
$photoinfo = $exif->getimageinfo( );
if ( ( strtolower( $attach['type'] ) == "image/pjpeg" || $attach['type'] == "image/jpeg" ) && function_exists( "imagecreatefromjpeg" ) )
{
$im = @imagecreatefromjpeg( $attach['tmp_name'] );
}
else
{
if ( $var['type'] == "image/x-png" && function_exists( "imagecreatefrompng" ) )
{
$im = @imagecreatefrompng( $attach['tmp_name'] );
}
else if ( !( $var['type'] == "image/gif" && function_exists( "imagecreatefromgif" ) ) )
{
break;
}
else
{
$im = @imagecreatefromgif( $attach['tmp_name'] );
continue;
}
}
$name = "";
if ( $im )
{
$name = resizeimage( $im, $GLOBALS['photosystem']['maxsize'], $GLOBALS['photosystem']['maxsize'], $attach['attachment'], 1 );
}
if ( $sesettings['system']['photosize'] )
{
$name1 = resizeimage( $im, $sesettings['system']['photosize'], $sesettings['system']['photosize'], $attach['attachment'] );
imagedestroy( $im );
}
if ( is_array( $photoinfo ) && $photosystem['exif'] == 1 )
{
foreach ( $photoinfo as $k => $v )
{
$k = strtolower( $k );
$attach[$k] = shtmlspecialchars( $v );
}
}
$attach['thumb'] = $name;
$attach[$key] = $attach['module'];
} while ( 0 );
}
$img_info = @getimagesize( $target );
if ( in_array( $attach['ext'], array( "jpg", "gif", "png", "bmp" ) ) && function_exists( "getimagesize" ) && !getimagesize( $target ) && $admincp != 1 )
{
@unlink( $target );
}
else
{
if ( in_array( $attach['ext'], array( "jpg", "gif", "png" ) ) && function_exists( "getimagesize" ) && function_exists( "imagettftext" ) && @getimagesize( $target ) && isset( $_POST[$attach['module']."_watermark"] ) && intval( $_POST[$attach['module']."_watermark"] ) == 1 )
{
require_once( $site_engine_root."lib/watermark.php" );
$tmp_image = new gimage( );
if ( !ereg( "^http://", $config_watermark ) )
{
$tmp_image->wm_text = $config_watermark;
}
else
{
$tmp_image->wm_image_name = $config_watermark;
}
$tmp_image->wm_text_font = $site_engine_root."data/fonts/".$config_watermarkfont;
$tmp_image->save_file = $target;
$tmp_image->create( $target );
}
$attach['perm'] = $allowsetattachperm ? $attachperm[$key] : 0;
$attach['key'] = $key;
$attacharray[] = $attach;
}
}
else
{
message( $GLOBALS['l_site']['saveerror'], $referer );
}
}
}
unset( $extension );
return !emptyempty( $attacharray ) ? $attacharray : false;
}
function resizeimage( $im, $maxwidth, $maxheight, $name, $isthumb = "" )
{
global $module;
global $attachdir;
global $site_engine_root;
if ( $isthumb == 1 )
{
$name = str_replace( $module, $module."/thumbs", $name );
}
else
{
$name = str_replace( $module, $module, $name );
}
$width = imagesx( $im );
$height = imagesy( $im );
$resizewidth = $resizeheight = false;
if ( $maxwidth && $maxwidth < $width || $maxheight && $maxheight < $height )
{
if ( $maxwidth && $maxwidth < $width )
{
$widthratio = $maxwidth / $width;
$resizewidth = true;
}
if ( $maxheight && $maxheight < $height )
{
$heightratio = $maxheight / $height;
$resizeheight = true;
}
if ( $resizewidth && $resizeheight )
{
if ( $widthratio < $heightratio )
{
$ratio = $widthratio;
}
else
{
$ratio = $heightratio;
}
}
else if ( $resizewidth )
{
$ratio = $widthratio;
}
else if ( $resizeheight )
{
$ratio = $heightratio;
}
$newwidth = $width * $ratio;
$newheight = $height * $ratio;
if ( function_exists( "imagecopyresampled" ) )
{
$newim = imagecreatetruecolor( $newwidth, $newheight );
imagecopyresampled( $newim, $im, 0, 0, 0, 0, $newwidth, $newheight, $width, $height );
}
else
{
$newim = imagecreate( $newwidth, $newheight );
imagecopyresized( $newim, $im, 0, 0, 0, 0, $newwidth, $newheight, $width, $height );
}
@imagejpeg( $newim, $attachdir."/".$name );
imagedestroy( $newim );
}
else
{
@imagejpeg( $im, $attachdir."/".$name );
}
return $name;
}
if ( !defined( "IN_SITEENGINE" ) )
{
exit( "Access Denied" );
}
$maxgroupcache = groupcache( $usergroup, array( "maxattachsize", "attachextensions" ), 1 );
$maxattachsize = $maxgroupcache['maxattachsize'] ? $maxgroupcache['maxattachsize'] : 1024000000;
$attachsave = 1;
$attachdir = $site_engine_root.$uploaddir;
eval( "\$header = \"".$tpl->get( "header", $templates, $language )."\";" );
$debuginfo = gettotaltime( );
eval( "\$footer = \"".$tpl->get( "footer", $templates, $language )."\";" );
if ( !emptyempty( $usergroup ) && $maxgroupcache['attachextensions'] )
{
$attachextensions = $maxgroupcache['attachextensions'];
}
?>

解决方案:
厂商补丁：
SiteEngine
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
http://www.siteengine.net/

信息来源:
<* 来源: majun1988
链接: http://majun1988.cngxr.com/?action=show&id=416
*>

漏洞列表