CVE-2019-13396 FlightPath 本地文件包含漏洞复现
- 2019 年 10 月 6 日
- 筆記
FlightPath 是一款国外流行的学位管理系统,该学位审核系统旨在帮助确定学位课程的进度,但不是官方成绩单。虽然已尽力确保此系统的准确性,但您应仔细检查并向您的顾问报告任何差异。
FlightPath <4.8.2 & < 5.0-rc2允许通过index.php?q = system-handle-form-submit POST请求中的form_include参数进行目录遍历和本地文件包含,因为modules/system/system.module中的system_handle_form_submit中包含include_once 。
function system_handle_form_submit() { $callback = $_REQUEST["callback"]; $form_type = $_REQUEST["form_type"]; $form_include = $_REQUEST["form_include"]; $form_token = $_REQUEST["form_token"]; // Make sure the form_token is valid! if ($form_token != md5($callback . fp_token())) { die(t("Sorry, but you have encountered an error. A form submission was flagged as possibly being an invalid or forged submission. This may constitute a bug in the system. Please report this error to your Systems Administrator.")); } if ($form_include != "") { // This is a file we need to include in order to complete the submission process. include_once($form_include); } // We need to make sure the user has permission to submit this form! $form_path = $_REQUEST["form_path"]; // Check the menu router table for whatever the permissions were for this // path, if any. if ($form_path != "") { $router_item = menu_get_item($form_path) ; if (!menu_check_user_access($router_item)) { // The user does NOT have access to submit this form! The fact that // it has made it this far means this may be some sort of hacking attempt. die(t("Sorry, but you have encountered an error. A form submission was flagged as possibly being an invalid or having insufficient permissions to submit. This may constitute a bug in the system. Please report this error to your Systems Administrator.")); } }
访问首页,账户密码随便输入,抓包并在在form_include进行测试:
得到passwd内容值
加固建议升级到最新版。
下载链接:http://getflightpath.com/project/9/releases