Cloupia End-to-end FlexPod Management – Directory Traversal

• Exploit Database
• 119 阅读

• 作者： Chris Rock
  日期： 2012-01-15
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/18373/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166

  *Cloupia End-to-end FlexPod Management - Directory Traversal Vulnerability***   *Advisory Information*   Advisory ID: KUSTODIAN-2011-011   Date published: Jan 13, 2011   *Vulnerability Information*   Class: Directory Traversal   Remotely Exploitable: Yes   Locally Exploitable: Yes   *Software Description*   Provides end-to-end FlexPod management and automation across physical, virtual, compute, storage and network resources.   Create internal private clouds rapidly with internal standards and procedures to maximize the infrastructure investments.       Provides comprehensive physical and virtual infrastructure management and automation.   Provides unified solution and single pane of glass for consistent and connected experience across private, public & hybrid clouds.   *Vulnerability Description*   jQuery File Tree is a configurable, AJAX file browser plugin for the jQuery javascript library utilised within the Cloupia application framework.   Unauthenticated access to this module allows a remote attacker to browse the entire file system of the host server, beyond the realm of the web service itself.   Cloupia are aware of this flaw and are releasing a patch to mitigate access. End users are urged to update immediately by contacting the vendor.   http://www.cloupia.com       * **Technical Description*   The following process performed as an attacker to exploit this vulnerability would be as follows:   The code for the jQuery File Tree Java-Server-Page file reads as follows:   <%@ page   import="java.io.File,java.io.FilenameFilter,java.util.Arrays"%>   <%   /**   * jQuery File Tree JSP Connector   * Version 1.0   * Copyright 2008 Joshua Gould   * 21 April 2008   */   String dir = request.getParameter("dir");   if (dir == null) {   return;   }       if (dir.charAt(dir.length()-1) == &apos;\\&apos;) {   dir = dir.substring(0, dir.length()-1) + "/";   } else if (dir.charAt(dir.length()-1) != &apos;/&apos;) {   dir += "/";   }   if (new File(dir).exists()) {   String[] files = new File(dir).list(new FilenameFilter() {   public boolean accept(File dir, String name) {   return name.charAt(0) != &apos;.&apos;;   }   });   Arrays.sort(files, String.CASE_INSENSITIVE_ORDER);   out.print("<ul class=\"jqueryFileTree\" style=\"display: none;\">");   // All dirs   for (String file : files) {   if (new File(dir, file).isDirectory()) {   out.print("<li class=\"directory collapsed\"><a href=\"#\" rel=\"" + dir + file + "/\">"   + file + "</a></li>");   }   }   // All files   for (String file : files) {   if (!new File(dir, file).isDirectory()) {   int dotIndex = file.lastIndexOf(&apos;.&apos;);   String ext = dotIndex > 0 ? file.substring(dotIndex + 1) : "";   out.print("<li class=\"file ext_" + ext + "\"><a href=\"#\" rel=\"" + dir + file + "\">"   + file + "</a></li>");   }   }   out.print("</ul>");   }   %>           *Credits*   This vulnerability was discovered by Chris Rock <team@kustodian.com> and from Kustodian www.Kustodian.com.   *Disclaimer*   The contents of this advisory are copyright (c) Kustodian Security and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.