标题:asp eWebEditor v3.8 列目录漏洞(其他版本为测试)
漏洞文件:asp/browse.asp
漏洞产生:
Sub InitParam()
sType = UCase(Trim(Request.QueryString("type")))
sStyleName = Trim(Request.QueryString("style"))
sCusDir = Trim(Request.QueryString("cusdir"))
Dim i, aStyleConfig, bValidStyle
bValidStyle = False
For i = 1 To Ubound(aStyle)
aStyleConfig = Split(aStyle(i), "|||")
If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then
bValidStyle = True
Exit For
End If
Next
If bValidStyle = False Then
OutScript("alert('Invalid Style.')")
End If
sBaseUrl = aStyleConfig(19)
nAllowBrowse = CLng(aStyleConfig(43))
nCusDirFlag = Clng(aStyleConfig(61))
If nAllowBrowse <> 1 Then
OutScript("alert('Do not allow browse!')")
End If
If nCusDirFlag <> 1 Then
sCusDir = ""
Else
sCusDir = Replace(sCusDir, "", "/")
If Left(sCusDir, 1) = "/" Or Left(sCusDir, 1) = "." Or Right(sCusDir, 1) = "." Or InStr(sCusDir, "./") > 0 Or InStr(sCusDir, "/.") > 0 Or InStr(sCusDir, "//") > 0 Then
sCusDir = ""
Else
If Right(sCusDir, 1) <> "/" Then
sCusDir = sCusDir & "/"
End If
End If
End If
sUploadDir = aStyleConfig(3)
If Left(sUploadDir, 1) <> "/" Then
sUploadDir = "../" & sUploadDir
End If
Select Case sBaseUrl
Case "0"
sContentPath = aStyleConfig(23)
Case "1"
sContentPath = RelativePath2RootPath(sUploadDir)
Case "2"
sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir))
End Select
sUploadDir = sUploadDir & sCusDir
sContentPath = sContentPath & sCusDir
Select Case sType
Case "FILE"
sAllowExt = ""
Case "MEDIA"
sAllowExt = "rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov"
Case "FLASH"
sAllowExt = "swf"
Case Else
sAllowExt = "bmp|jpg|jpeg|png|gif"
End Select
sCurrDir = sUploadDir
sDir = Trim(Request("dir"))
'1.假设dir= ../
'2.假设dir=...//
'3.假设dir=.....///
sDir = Replace(sDir, "", "/") '过滤1
sDir = Replace(sDir, "../", "") '过滤2
'1.到这里就被过滤了
sDir = Replace(sDir, "./", "") '过滤3
'2到这里也被功率了
'3到这里就成../了。比较有趣的饶过!好象不少cms这样过滤过。[/color]
If sDir <> "" Then
If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then
sCurrDir = sUploadDir & sDir & "/"
Else
sDir = ""
End If
End If
End Sub