Snitz Forums Avatar模块任意文件上传漏洞
<p>受影响系统:<br/>Snitz Forums v3.4 Avatar MOD v1.3<br/>描述:<br/>--------------------------------------------------------------------------------<br/>BUGTRAQ ID: 18014</p><p>Snitz Forums是一款由ASP编写的论坛软件,诵性赪INDOWS系统平台上。</p><p>Snitz Forums的Avatar模块允许门户站点管理员向论坛上传avatar图片。Snitz Forums的avatar_upload.asp文件中存在漏洞,允许远程用户上传任意文件。</p><p>Dim arrAllowedTypes<br/>arrAllowedTypes = Array(".jpg",".jpeg",".gif",".png")<br/>Dim strExtension<br/>strExtension = LCase(Mid(FileName,InStrRev(FileName,".")))<br/>Dim intForCounter<br/>Dim blnAllow : blnAllow = False</p><p>for intForCounter = 0 to Ubound(arrAllowedTypes)<br/> if strComp(strExtension,arrAllowedTypes(intForCounter),1) = 0 then<br/> blnAllow = True <br/> end if<br/>next<br/> <br/>if Not blnAllow then<br/> UploadMessage = "[" & strExtension & "] is not allowed."<br/> Exit Sub <br/>End if </p><p>如果上传的文件名中嵌入了空字节的话就会触发这个漏洞。如果用户上传文件test.asp[NULLBYTE].jpg的话,就会向Web根目录的可写目录写入test.asp文件。</p><p><*来源:Paul Craig (<a href="mailto:headpimp@pimp-industries.com">headpimp@pimp-industries.com</a>)</p><p>链接:<a href="http://marc.theaimsgroup.com/?l=bugtraq&m=114796489706591&w=2">http://marc.theaimsgroup.com/?l=bugtraq&m=114796489706591&w=2</a><br/> <a href="http://secunia.com/advisories/20148/print/">http://secunia.com/advisories/20148/print/</a><br/>*></p><p>建议:<br/>--------------------------------------------------------------------------------<br/>厂商补丁:</p><p>Snitz Forums<br/>------------<br/>目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:</p><p><a href="http://www.snitzbitz.com/mods/details.asp?Version=All&mid=52">http://www.snitzbitz.com/mods/details.asp?Version=All&mid=52</a></p> 学习了页:
[1]