BUGTRAQ ID: 25027 SecurityReporter是Sidewinder安全设备的安全事件分析和报表解决方案。 SecurityReporter的file.cgi文件允许用户绕过认证: 8 $name = $field{'name'}; 9 10 #for gif images we dont care about authorization so just serve it without 11 #bothering the reporting engine again. See bug: 3676 for details. 12 $dontvalidate = "false"; 13 if ($name =~ /^[a-zA-Z0-9\-\. _\/ ]+\.(gif)$/) { 14 $dontvalidate = "true"; 15 print "Content-Type: image/gif\n"; 16 binmode STDOUT; 17 } 18 elsif ($name =~ /^\/eventcache\//) { 19 $dontvalidate = "true"; 20 print "Content-Type: text/html\n"; 21 binmode STDOUT; 22} 如果name参数的值不匹配13行(可通过不请求.gif文件强制),就会检查18行的情况;如果name的值以/eventcache/目录开始的话,就会将$dontvalidate设置为true,这就禁用了用户验证。 此外file.cgi文件没有规格化用户输入及过滤句号和斜线/反斜线,可能导致目录遍历攻击: 165 #on windows 2003 IIS the cur dir is the root itself- dont know why so we try to open it in 166 #path relative to root if ../ from cgi-bin fails 167 open(f, "../$name") or open(f, "$name") or die...
BUGTRAQ ID: 25027 SecurityReporter是Sidewinder安全设备的安全事件分析和报表解决方案。 SecurityReporter的file.cgi文件允许用户绕过认证: 8 $name = $field{'name'}; 9 10 #for gif images we dont care about authorization so just serve it without 11 #bothering the reporting engine again. See bug: 3676 for details. 12 $dontvalidate = "false"; 13 if ($name =~ /^[a-zA-Z0-9\-\. _\/ ]+\.(gif)$/) { 14 $dontvalidate = "true"; 15 print "Content-Type: image/gif\n"; 16 binmode STDOUT; 17 } 18 elsif ($name =~ /^\/eventcache\//) { 19 $dontvalidate = "true"; 20 print "Content-Type: text/html\n"; 21 binmode STDOUT; 22} 如果name参数的值不匹配13行(可通过不请求.gif文件强制),就会检查18行的情况;如果name的值以/eventcache/目录开始的话,就会将$dontvalidate设置为true,这就禁用了用户验证。 此外file.cgi文件没有规格化用户输入及过滤句号和斜线/反斜线,可能导致目录遍历攻击: 165 #on windows 2003 IIS the cur dir is the root itself- dont know why so we try to open it in 166 #path relative to root if ../ from cgi-bin fails 167 open(f, "../$name") or open(f, "$name") or die "File($name): $!"; Secure Computing SecurityReporter 4.6.3 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://www.securecomputing.com/" target="_blank">http://www.securecomputing.com/</a>
