FreePBX 'usersnum'参数远程命令执行漏洞

发布日期:2014-02-23
更新日期:2014-02-25

受影响系统:
FreePBX FreePBX 2.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 65756

FreePBX是开源Web PBX解决方案。

FreePBX 2.x版本和其他版本在实现上存在远程命令执行漏洞,攻击者可利用此漏洞在受影响应用上下文中执行任意命令。

<*来源:i-Hmx (n0p1337@gmail.com)
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Vulnerable function "recording_addpage" @
admin/modules/recordings/page.recordings.php

function recording_addpage($usersnum) {
    global $fc_save;
    global $fc_check;
    global $recordings_save_path;

?>
    <div>
    <h2><?php echo _("System Recordings")?></h2>
    <h3><?php echo _("Add Recording") ?></h3>
    <h5><?php echo _("Step 1: Record or upload")?></h5>
    <?php if (!empty($usersnum)) {
    echo '<p>';
        echo _("Using your phone,")."<a href=https://www.linuxidc.com/Linux/2014-02/\"#\" class=https://www.linuxidc.com/Linux/2014-02/\"info\">"._("
dial")."&nbsp;".$fc_save." <span>";
        echo _("Start speaking at the tone. Press # when
finished.")."</span></a>";
        echo _("and speak the message you wish to record. Press # when
finished.")."\n";
    echo '</p>';
    } else { ?>
        <form action="<?php $_SERVER['PHP_SELF'] ?>"
method="post">
        <input type="hidden" value="recordings">
        <?php
        echo _("If you wish to make and verify recordings from your phone,
please enter your extension number here:"); ?>
        <input type="text" size="6" tabindex="<?php echo
++$tabindex;?>"> <input type="submit" value="<?php echo
_("Go"); ?>" tabindex="<?php echo ++$tabindex;?>">
        </form>
    <?php } ?>
  <p></p>
    <form enctype="multipart/form-data" action="<?php echo
$_SERVER['PHP_SELF'] ?>" method="POST">
        <?php echo _("Alternatively, upload a recording in any supported
asterisk format. Note that if you're using .wav, (eg, recorded with
Microsoft Recorder) the file <b>must</b> be PCM Encoded, 16 Bits, at
8000Hz")?>:<br>
        <input type="hidden" value="recordings">
        <input type="hidden" value="recordings_start">
                <input type="hidden" value="<?php echo
$usersnum ?>">
        <input type="file" tabindex="<?php echo
++$tabindex;?>"/>
        <input type="button" value="<?php echo _("Upload")?>"
onclick="document.upload.submit(upload);alert('<?php echo
addslashes(_("Please wait until the page reloads."))?>');" tabindex="<?php
echo ++$tabindex;?>"/>
    </form>
    <?php
    if (isset($_FILES['ivrfile']['tmp_name']) &&
is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
    if (empty($usersnum) || !ctype_digit($usersnum)) {
            $dest = "unnumbered-";
        } else {
            $dest = "{$usersnum}-";
        }
        $suffix =
preg_replace('/[^0-9a-zA-Z]/','',substr(strrchr($_FILES['ivrfile']['name'],
"."), 1));
        $destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
        move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
        system("chgrp " . $amp_conf['AMPASTERISKGROUP'] . " " .
$destfilename);
        system("chmod g+rw ".$destfilename);
        echo "<h6>"._("Successfully uploaded")."
".$_FILES['ivrfile']['name']."</h6>";
        $rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
    } ?>
    <form action="<?php $_SERVER['PHP_SELF'] ?>"
method="post" onsubmit="return rec_onsubmit();">
    <input type="hidden" value="recorded">
    <input type="hidden" value="recordings">
    <input type="hidden" value="<?php echo $usersnum ?>">
    <?php
    if (!empty($usersnum)) { ?>
        <h5><?php echo _("Step 2: Verify")?></h5>
        <p> <?php echo _("After recording or
uploading,")."&nbsp;<em>"._("dial")."&nbsp;".$fc_check."</em> "._("to
listen to your recording.")?> </p>
        <p> <?php echo _("If you wish to re-record your message,
dial")."&nbsp;".$fc_save; ?></p>
        <h5><?php echo _("Step 3: Name")?> </h5> <?php
    } else {
        echo "<h5>"._("Step 2: Name")."</h5>";
    } ?>
    <table>
        <tr valign="top">
            <td valign="top"><?php echo _("Name this Recording")?>: </td>
            <td><input type="text"
value="<?php echo $rname; ?>" tabindex="<?php echo ++$tabindex;?>"></td>
        </tr>
    </table>

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/4bb52987d2e7d14ad41a3784c6199ebc.html