BUGTRAQ ID: 28278 CVE(CAN) ID: CVE-2008-1000 Mac OS X Server也被称为Leopard Server,是苹果发布的集成了多种功能的服务器。 MacOS X Server中默认启用的python Web服务器Wiki Server受目录遍历攻击的影响,远程攻击者可能利用此漏洞控制服务器。 可以编辑wiki内容的用户可以上传文件替换wiki服务器可写入的内容,导致以wiki服务器的权限执行任意代码。以下是/usr/share/wikid/lib/python/apple_wlt/ContentServer.py文件中有漏洞的代码段: /----------- def uploadFileCallback(self, result): filename, filetype, aFile = result[1][self.type][0] filename = filename.decode('utf-8') filename = filename.split('\\')[-1] # IE sends the whole path, including your local username. extension = filename.split('.')[-1] oldFilename = filename uploadType = os.path.split(self.fullpath)[-1] if uploadType == "images": filename = SettingsManager.findGoodName() + '.' + extension logging.debug("beginning file upload: %s" % filename) isImage = filenameIsImage(filename) newPath = ImageUtilities.findUniqueFileName(os.path.join(self.fullpath, filename), isImage = (not uploadType == 'attachments')) newFilename =...
BUGTRAQ ID: 28278 CVE(CAN) ID: CVE-2008-1000 Mac OS X Server也被称为Leopard Server,是苹果发布的集成了多种功能的服务器。 MacOS X Server中默认启用的python Web服务器Wiki Server受目录遍历攻击的影响,远程攻击者可能利用此漏洞控制服务器。 可以编辑wiki内容的用户可以上传文件替换wiki服务器可写入的内容,导致以wiki服务器的权限执行任意代码。以下是/usr/share/wikid/lib/python/apple_wlt/ContentServer.py文件中有漏洞的代码段: /----------- def uploadFileCallback(self, result): filename, filetype, aFile = result[1][self.type][0] filename = filename.decode('utf-8') filename = filename.split('\\')[-1] # IE sends the whole path, including your local username. extension = filename.split('.')[-1] oldFilename = filename uploadType = os.path.split(self.fullpath)[-1] if uploadType == "images": filename = SettingsManager.findGoodName() + '.' + extension logging.debug("beginning file upload: %s" % filename) isImage = filenameIsImage(filename) newPath = ImageUtilities.findUniqueFileName(os.path.join(self.fullpath, filename), isImage = (not uploadType == 'attachments')) newFilename = os.path.basename(newPath) if uploadType == "attachments": newParentFolder = os.path.dirname(newPath) os.mkdir(newParentFolder) newFilename = os.path.join(os.path.basename(newParentFolder), filename) [...] - -----------/ Apple MacOS X Server 10.5.2 Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat=57&platform=osx&method=sa/SecUpd2008-002.dmg target=_blank>http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=18157&cat=57&platform=osx&method=sa/SecUpd2008-002.dmg</a>
