CVE-2019-13396 FlightPath 本地文件包含漏洞復現

• 2019 年 10 月 6 日
• 筆記

FlightPath 是一款國外流行的學位管理系統，該學位審核系統旨在幫助確定學位課程的進度，但不是官方成績單。雖然已儘力確保此系統的準確性，但您應仔細檢查並向您的顧問報告任何差異。

FlightPath <4.8.2 & < 5.0-rc2允許通過index.php？q = system-handle-form-submit POST請求中的form_include參數進行目錄遍歷和本地文件包含，因為modules/system/system.module中的system_handle_form_submit中包含include_once 。

function system_handle_form_submit() {      $callback = $_REQUEST["callback"];      $form_type = $_REQUEST["form_type"];    $form_include = $_REQUEST["form_include"];      $form_token = $_REQUEST["form_token"];    // Make sure the form_token is valid!    if ($form_token != md5($callback . fp_token())) {      die(t("Sorry, but you have encountered an error.  A form submission was flagged            as possibly being an invalid or forged submission.  This may constitute a bug            in the system.  Please report this error to your Systems Administrator."));    }      if ($form_include != "") {      // This is a file we need to include in order to complete the submission process.      include_once($form_include);    }        // We need to make sure the user has permission to submit this form!    $form_path = $_REQUEST["form_path"];    // Check the menu router table for whatever the permissions were for this    // path, if any.    if ($form_path != "") {      $router_item = menu_get_item($form_path) ;      if (!menu_check_user_access($router_item)) {        // The user does NOT have access to submit this form!  The fact that        // it has made it this far means this may be some sort of hacking attempt.        die(t("Sorry, but you have encountered an error.  A form submission was flagged            as possibly being an invalid or having insufficient permissions to submit.            This may constitute a bug in the system.            Please report this error to your Systems Administrator."));        }    }

訪問首頁，賬戶密碼隨便輸入，抓包並在在form_include進行測試：

得到passwd內容值

加固建議升級到最新版。

下載鏈接：http://getflightpath.com/project/9/releases