Arbitrary File Reading Vulnerability in TurboMail mail (administrative permission required)
The TurboMail mail system does not judge the file path when processing log files. As a result, any files on the server can be read.
The email background management has the Arbitrary File Read vulnerability when viewing WEB logs.
The vulnerability code is located in TomcatLogAjax. class. The getLog function reads the source code of the web server log file as follows:
Publicstatic void getLog (HttpServletRequest request, HttpServletResponse response)
Throws ServletException, IOException {
MailSession MS = WebUtil. getms (request, response );
If (MS = null ){
AjaxUtil. ajaxFail (request, response, "info. nologin", null );
Return;
}
UserInfo userinfo = ms. userinfo;
If (userinfo = null ){
AjaxUtil. ajaxFail (request, response, "info. loginfail", null );
Return;
}
String logPath = getLogPath ();
String subType = WebUtil. getParameter (request, true, "subType ");
If (subType! = Null) & ("getLogList". equals (subType ))){
GetLogList (request, response, logPath );
Return;
}
StringsLogFile = WebUtil. getParameter (request, true, "logFile ");
..... // N rows are omitted here
Try {
FiletempFile = new File (logPath + SysConts. FILE_SEPARATOR + sLogFile); // vulnerability point, directly spliced
If (! TempFile. exists ()){
AjaxUtil. ajaxFail (request, response, "info. ajax. fail", null );
Return;
}
Bb. clear ();
FS = new RandomAccessFile (tempFile, "r ");
If (bReverse ){
Long lFileLen = Fi. length ();
FCM. seek (lFileLen );
BsLine = ReadLineInput. RReadLine (FS, false, lo, bb, temp_bs );
} Else {
BsLine = ReadLineInput. ReadLine (FS, false, lo, bb, temp_bs );
}
The getLog function does not perform security path detection when processing user-passed logFile parameters. As a result, you can use ../to read arbitrary files on the server.
Log on to the mailbox management background with the email administrator account, view the mail logs, and select web server logs"
The http request package is as follows:
Use burpsuit to modify the logFile parameter of the http request package .. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /windows/win. ini:
You can find that the files on the server have been successfully read:
Read c:/boot. ini:
Solution:
The file name that cannot be read contains/and \