WordPress是一款免费的论坛Blog系统。WordPress中负责上传文件的代码如下:漏洞文件:"wp-admin/includes/file.php" Bugtraq ID: 37005
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Nov 11 2009 12:00AM
Updated: Nov 12 2009 03:56PM
Credit: Dawid Golunski
Vulnerable: WordPress WordPress 2.8.5
WordPress WordPress 2.8.4
WordPress WordPress 2.8.3
WordPress WordPress 2.8.2
WordPress WordPress 2.8.1
WordPress WordPress 2.8描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 37005WordPress是一款免费的论坛Blog系统。WordPress中负责上传文件的代码如下:wp-admin/includes/file.php:---[cut]---
line 217:
function wp_handle_upload( &$file, $overrides = false, $time = null ) {
---[cut]---
// All tests are on by default. Most can be turned off by $override[{test_name}] =
false; $test_form = true;
$test_size = true;// If you override this, you must provide $ext and $type!!!!
$test_type = true;
$mimes = false;
---[cut]---// A properly uploaded file will pass this test. There should be no reason to
override this one. if (! @ is_uploaded_file( $file["tmp_name"] ) )
return $upload_error_handler( $file, __( "Specified file failed upload test."
));// A correct MIME type will pass this test. Override $mimes or use the upload_mimes
filter. if ( $test_type ) {
$wp_filetype = wp_check_filetype( $file["name"], $mimes ); extract( $wp_filetype ); if ( ( !$type || !$ext ) && !current_user_can( "unfiltered_upload" ) )
return $upload_error_handler( $file,
__( "File type does not meet security guidelines. Try another." )); if ( !$ext )
$ext = ltrim(strrchr($file["name"], "."), "."); if ( !$type )
$type = $file["type"];
} else {
$type = "";
}// A writable uploads dir will pass this test. Again, there"s no point overriding
this one. if ( ! ( ( $uploads = wp_upload_dir($time) ) && false === $uploads["error"]
) ) return $upload_error_handler( $file, $uploads["error"] );$filename = wp_unique_filename( $uploads["path"], $file["name"],
$unique_filename_callback );// Move the file to the uploads dir
$new_file = $uploads["path"] . "/$filename";
if ( false === @ move_uploaded_file( $file["tmp_name"], $new_file ) ) {
return $upload_error_handler( $file,
sprintf( __("The uploaded file could not be moved to %s." ), $uploads["path"] )
); }
---[cut ]---从上面代码可见所提供的文件名由$wp_filetype = wp_check_filetype( $file["name"], $mimes );执行检查。以下是wp_check_filetype()函数:wp-includes/functions.php:---[cut]---
line 2228:function wp_check_filetype( $filename, $mimes = null ) {
// Accepted MIME types are set here as PCRE unless provided.
$mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( "upload_mimes",
array( "jpg|jpeg|jpe" => "image/jpeg",
"gif" => "image/gif",
"png" => "image/png",
"bmp" => "image/bmp",
"tif|tiff" => "image/tiff",
"ico" => "image/x-icon",
"asf|asx|wax|wmv|wmx" => "video/asf",
"avi" => "video/avi",
---[cut, more mime types]---
line 2279: $type = false;
$ext = false; foreach ( $mimes as $ext_preg => $mime_match ) {
$ext_preg = "!.(" . $ext_preg . ")$!i";
if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
$type = $mime_match;
$ext = $ext_matches[1];
break;
}
} return compact( "ext", "type" );
}文件的类型被设置为匹配所提供扩展名的预定义MIME类型,扩展名是从匹配最后一个句号后mime ext.字符串的正则表达式获得的。如果$type列表中没有扩展名,$ext就会被设置为FALSE,wordpress会生成以下出错消息:“File type does not meet security guidelines. Try another”。以下函数在文件上传之前对文件名执行了其他一些检查:$filename = wp_unique_filename( $uploads["path"], $file["name"], $unique_filename_callback );wp-includes/functions.php:line 2096:
function wp_unique_filename( $dir, $filename, $unique_filename_callback = null ) {
// sanitize the file name before we begin processing
$filename = sanitize_file_name($filename); ---[cut, code that only matters if uploaded file already exists]--- line 2126:
return $filename;
}如果要完全了解wordpress所执行的文件过滤,还要了解sanitize_file_name()函数:wp-includes/formatting.php:line 601:
function sanitize_file_name( $filename ) {
$filename_raw = $filename;
$special_chars = array("?", "[", "]", "/", "\", "=", "<", ">", ":", ";",
",", """, """, "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}",
chr(0));
$special_chars = apply_filters("sanitize_file_name_chars", $special_chars, $filename_raw); $filename = str_replace($special_chars, "", $filename);
$filename = preg_replace("/[s-]+/", "-", $filename);
$filename = trim($filename, ".-_");
return apply_filters("sanitize_file_name", $filename, $filename_raw);
}过滤过程没有考虑到带有多个扩展名的文件,用户可以上传带有.php.jpg扩展名的任意PHP脚本,并通过直接请求上传的文件来执行恶意脚本。Linux as 5 下 Apache 畸形php文件名执行漏洞GIMP BMP图形解析整数溢出漏洞相关资讯 漏洞 WordPress
- 大批 WordPress 网站被渗透 ,成为 (02月26日)
- WordPress 在Ubuntu下安装插件、主 (01月08日)
- 深入浅出讲述提升 WordPress 性能 (12/22/2015 07:49:45)
| - Ubuntu 14.04基于Nginx安装 (01月25日)
- 解决Ubuntu下WordPress设置固定链 (01月08??)
- WordPress.com 开源,发布桌面端应 (11/24/2015 15:54:59)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您已经阅读并接受上述条款<
|
易网时代-编程资源站