EduSoho 最新版两处泄露accessKey和secretKey

### 简要描述： 可在官网重新绑定，发送云短信，下载安装应用。 ### 详细说明： 出现问题的地方在安装文件/start-install.php ``` <?php use Composer\Autoload\ClassLoader; require __DIR__.'/../../vendor/autoload.php'; $loader = new Twig_Loader_Filesystem(__DIR__ . '/templates'); $twig = new Twig_Environment($loader, array( 'cache' => false, )); $twig->addGlobal('edusho_version', \Topxia\System::VERSION); $step =intval(empty($_GET['step']) ? 0 : $_GET['step']); $functionName = 'install_step' . $step; $functionName(); use Topxia\Service\Common\ServiceKernel; use Topxia\Service\User\CurrentUser; use Topxia\Service\CloudPlatform\KeyApplier; use Symfony\Component\HttpFoundation\ParameterBag; function check_installed() { if (array_key_exists('nokey', $_GET)) { setcookie('nokey', 1); $_COOKIE['nokey'] = 1; } if (file_exists(__DIR__ . '/../../app/data/install.lock')) { exit('already install.'); } } function install_step0() { check_installed(); global $twig; echo $twig->render('step-0.html.twig', array('step' => 0)); } function install_step1() { check_installed(); global $twig; $pass = true; $env = array(); $env['os'] = PHP_OS; $env['phpVersion'] = PHP_VERSION; $env['phpVersionOk'] = version_compare(PHP_VERSION, '5.3.0') >= 0; $env['pdoMysqlOk'] = extension_loaded('pdo_mysql'); $env['uploadMaxFilesize'] = ini_get('upload_max_filesize'); $env['uploadMaxFilesizeOk'] = intval($env['uploadMaxFilesize']) >= 2; $env['postMaxsize'] = ini_get('post_max_size'); $env['postMaxsizeOk'] = intval($env['postMaxsize']) >= 8; $env['maxExecutionTime'] = ini_get('max_execution_time'); $env['maxExecutionTimeOk'] = ini_get('max_execution_time') >= 30; $env['mbstringOk'] = extension_loaded('mbstring'); $env['gdOk'] = extension_loaded('gd'); $env['curlOk'] = extension_loaded('curl'); if (!$env['phpVersionOk'] or !$env['pdoMysqlOk'] or !$env['uploadMaxFilesizeOk'] or !$env['postMaxsizeOk'] or !$env['maxExecutionTimeOk'] or !$env['mbstringOk'] or !$env['curlOk'] or !$env['gdOk']) { $pass = false; } $paths = array( 'app/config/parameters.yml', 'app/data/udisk', 'app/data/private_files', 'web/files', 'app/cache', 'app/data', 'app/logs', ); $checkedPaths = array(); foreach ($paths as $path) { $checkedPath = __DIR__ . '/../../' . $path; $checked = is_executable($checkedPath) && is_writable($checkedPath) && is_readable($checkedPath); if (PHP_OS == 'WINNT') { $checked = true; } if (!$checked) { $pass = false; } $checkedPaths[$path] = $checked; } $safemode = ini_get('safe_mode'); if($safemode == 'On') $pass = false; echo $twig->render('step-1.html.twig', array( 'step' => 1, 'env' => $env, 'paths' => $checkedPaths, 'safemode' => $safemode, 'pass' => $pass )); } function install_step2() { check_installed(); } function install_step3() { check_installed(); } function install_step4() { global $twig; $userAgent = 'EduSoho Install Client 1.0'; $connectTimeout = 10; $timeout = 10; $url = "http://open.edusoho.com/api/v1/block/two_dimension_code"; $curl = curl_init(); curl_setopt($curl, CURLOPT_USERAGENT, $userAgent); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, $connectTimeout); curl_setopt($curl, CURLOPT_TIMEOUT, $timeout); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_HEADER, 0); curl_setopt($curl, CURLOPT_URL, $url ); $response = curl_exec($curl); curl_close($curl); $response = json_decode($response, true); echo $twig->render('step-4.html.twig', array( 'step' => 4, "response"=>$response, )); } /** * 生产Key */ function install_step999() { if (empty($_COOKIE['nokey'])) { session_start(); $connection = _create_connection(); $serviceKernel = ServiceKernel::create('prod', true); $serviceKernel->setParameterBag(new ParameterBag(array( 'kernel' => array( 'root_dir' => realpath(__DIR__ . '/../../app'), ) ))); $serviceKernel->setConnection($connection); $init = new SystemInit(); $key = $init->initKey(); echo json_encode($key); } else { echo json_encode(array( 'accessKey' => '__NOKEY__', 'secretKey' => '__NOKEY__', )); } } ``` 程序有判断是否安装过，但是遗漏了两处； 第一处在step4、第二处在step999； 这两个函数都没有限制访问、也没有check_installed。 看到step4和step999直接输出了accessKey和secretKey。 ``` echo $twig->render('step-4.html.twig', array( 'step' => 4, "response"=>$response, )); ``` 访问测试一下 [<img src="https://images.seebug.org/upload/201504/09171919c266119fd2b67e7315e6ecbb0e75f1e2.png" alt="屏幕快照 2015-04-09 下午5.19.00.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/09171919c266119fd2b67e7315e6ecbb0e75f1e2.png) [<img src="https://images.seebug.org/upload/201504/09171928b85b631a1bf552d4fc70ecffbc20886b.png" alt="屏幕快照 2015-04-09 下午5.18.32.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/09171928b85b631a1bf552d4fc70ecffbc20886b.png) 登陆官网重新授权： 点击重新绑定后，绑定另外一个站的授权成功 [<img src="https://images.seebug.org/upload/201504/09172141dc1e92b2cc840b89d96456b0a89d95ba.png" alt="屏幕快照 2015-04-09 下午5.20.55.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/09172141dc1e92b2cc840b89d96456b0a89d95ba.png) 然后我们就可以给网站用户发送云短信，安装应用了 [<img src="https://images.seebug.org/upload/201504/091723099a6709dd23f7212b867955965ca947c8.png" alt="屏幕快照 2015-04-09 下午5.22.29.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/091723099a6709dd23f7212b867955965ca947c8.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201504/09172325608179b329aa9e317c361fbf35afad54.png" alt="屏幕快照 2015-04-09 下午5.19.00.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/09172325608179b329aa9e317c361fbf35afad54.png)