CVE-2019-13396 FlightPath本地文件包含漏洞复现

FlightPath是一款国外流行的学位管理系统，该学位审核系统旨在帮助确定学位课程的进度，但不是官方成绩单。虽然已尽力确保此系统的准确性，但您应仔细检查并且您的顾问报告任何差异。
FlightPath <4.8.2＆<5.0-rc2允许通过index.php？q = system-handle-form-submit POST请求中的form_include参数进行目录遍历和本地文件包含，因为modules / system / system.module中的system_handle_form_submit中包含include_once。

function system_handle_form_submit() {
    
  $callback = $_REQUEST["callback"];
  
  $form_type = $_REQUEST["form_type"];
  $form_include = $_REQUEST["form_include"];
  
  $form_token = $_REQUEST["form_token"];
  // Make sure the form_token is valid!
  if ($form_token != md5($callback . fp_token())) {
    die(t("Sorry, but you have encountered an error.  A form submission was flagged
          as possibly being an invalid or forged submission.  This may constitute a bug
          in the system.  Please report this error to your Systems Administrator."));
  }
  
  if ($form_include != "") {
    // This is a file we need to include in order to complete the submission process.
    include_once($form_include);
  }

    
  // We need to make sure the user has permission to submit this form!
  $form_path = $_REQUEST["form_path"];
  // Check the menu router table for whatever the permissions were for this
  // path, if any.
  if ($form_path != "") {
    $router_item = menu_get_item($form_path) ;
    if (!menu_check_user_access($router_item)) {
      // The user does NOT have access to submit this form!  The fact that
      // it has made it this far means this may be some sort of hacking attempt.
      die(t("Sorry, but you have encountered an error.  A form submission was flagged
          as possibly being an invalid or having insufficient permissions to submit.  
          This may constitute a bug in the system.  
          Please report this error to your Systems Administrator."));
      
    }
  }

访问首页，账户密码随便输入，抓包并在在form_include进行测试：

得到passwd的内容值

加固建议升级到最新版。

下载链接：http://getflightpath.com/project/9/releases

更多安全漏洞复现请关注WX公众号【安全漏洞环境学习】