Mango cloud KODExlporer design flaws lead to arbitrary code execution-vulnerability warning-the black bar safety net

2014-09-25T00:00:00
ID MYHACK58:62201454018
Type myhack58
Reporter 佚名
Modified 2014-09-25T00:00:00

Description

http://www.wooyun.org/bugs/wooyun-2014-066056

About the content:

http://www.kalcaddle.com

The test account permissions: default

The problem is in the renaming.

I upload. php file is not executed, ok, then change suffix to. ph

After a successful upload, 改名.php, tips no limit.

Well, 改名.php ,rename is successful, white spaces are ignored, the file extension changed to php

Can be executed successfully.

From this example can be simply seen, the server side processing logic, it is likely to limit the Upload Directory executable permission to the directory does not allow execution of. PHP at the end of the program, 限制了文件的后缀是.PHP / author by modifying the suffix . PHP spaces. It is a breakthrough in the directory restrictions. Manufacturers reply that-is due to the judge not precise enough to cause a certain amount of security. Let me puzzled is - this kind of use of analytical vulnerability?

under linux a new 1. php spaces in File content is:<? php echo "1 1 1"?& gt;

Through URL access 无论 输入 的 是 1.php or 1. php spaces or is 1. php%2 0

the apache response is NOT Found

The same way to test in Windows found under the effect is the same。。。。

Why is it so?

web serverwhat is it? IIS apache nginx if not parsing parsing vulnerability, then is through the program black list to control whether the file can be executed. 黑白 名单 只是 单纯 的 过滤 了 .php – if the program is a black and white list of words- . PHP . PHp . pHp should be can.

Can think of only these.。。。。