PHPslash URL封锁泄漏本地文件漏洞
添加时间:
2005-10-01
系统编号:
WAVDB-00707
影响版本:
phpslash 0.6.1
程序介绍:
漏洞利用:
解决方案:
临时解决方法:
tobozo@users.sourceforge.net提供了下列解决方法:
function parse($block_info) { $url = $block_info["source_url"];
/* check for url structure before opening it (you
don't want
/etc/passwd to be validated here -- tobozo -- */
$urlParts = parse_url($url);
if( (empty($urlParts)) or (!$urlParts) ) {
$this->output = "Block_render_url.class:: Parse
error reading
[$url]";
return;
}
$scheme = $urlParts[scheme];
$HostName = $urlParts[host];
if(empty($scheme)) {
$this->output = "Block_render_url.class:: Missing
protocol declaration
[$url]";
return;
}
if(empty($HostName)){
$this->output = "Block_render_url.class:: No<br> hostname in [$url]";
return;
}
if (!eregi("^(ht|f)tp",$scheme)) {
$this->output = "Block_render_url.class:: No
http:// or ftp:// in
[$url]";
return;
}
/* have to silence 'implode' and 'file' because you<br> don't want
the errors showing up on the main page */
$ary = @file($url);
$size = count($ary);
$string = @implode("",$ary);
if (strlen($string) < 1) {
$this->output = "Block_render_url.class: $url
contained no data.";
return;
};
for ($i = 0 ; $i < $size ; $i++) {
$output .= $ary[$i];
};
$this->output = $output;
}
厂商补丁:
暂无
信息来源:
<*来源:tobozo@users.sourceforge.net
连接:http://madchat.sourceforge.net
*>
2005-10-01
系统编号:
WAVDB-00707
影响版本:
phpslash 0.6.1
程序介绍:
PHPSLASH是一个开放源码的PHP工具包。它存在一个远程安全问题,可能泄漏WEB服务器上的系统文件内容。
漏洞分析:
问题处在Block_render_url.class中,它没有检查$url变量是否真的是一个正常的URL请求。
如果攻击者输入的内容是一个本地文件名,PHPSLAH将会泄漏该文件的内容。
攻击者要进行攻击必须首先以管理员用户的身份登录。
漏洞利用:
以admin身份登录,并访问菜单中的"BLOCKS"(blockAdmin.php3),用下列信息创建一个新
的封锁记录:
Title : notTrusted
Type : url
Site Location : whatever
Source URL : ./config.php3
Expire Length : 0
Owned by section : home
Data : (empty)
Order number : whatever
这会将./config.php3的内容显示在页面中,攻击者也可以指定其他的系统文件。
解决方案:
临时解决方法:
tobozo@users.sourceforge.net提供了下列解决方法:
function parse($block_info) { $url = $block_info["source_url"];
/* check for url structure before opening it (you
don't want
/etc/passwd to be validated here -- tobozo -- */
$urlParts = parse_url($url);
if( (empty($urlParts)) or (!$urlParts) ) {
$this->output = "Block_render_url.class:: Parse
error reading
[$url]";
return;
}
$scheme = $urlParts[scheme];
$HostName = $urlParts[host];
if(empty($scheme)) {
$this->output = "Block_render_url.class:: Missing
protocol declaration
[$url]";
return;
}
if(empty($HostName)){
$this->output = "Block_render_url.class:: No<br> hostname in [$url]";
return;
}
if (!eregi("^(ht|f)tp",$scheme)) {
$this->output = "Block_render_url.class:: No
http:// or ftp:// in
[$url]";
return;
}
/* have to silence 'implode' and 'file' because you<br> don't want
the errors showing up on the main page */
$ary = @file($url);
$size = count($ary);
$string = @implode("",$ary);
if (strlen($string) < 1) {
$this->output = "Block_render_url.class: $url
contained no data.";
return;
};
for ($i = 0 ; $i < $size ; $i++) {
$output .= $ary[$i];
};
$this->output = $output;
}
厂商补丁:
暂无
信息来源:
<*来源:tobozo@users.sourceforge.net
连接:http://madchat.sourceforge.net
*>