eClass平台允许用户在未进行身份验证的情况下下载任意文件

该漏洞的影响非常严重，攻击者可以通过构造恶意的 URL 请求，访问 eClass 系统中的任意文件，无需进行身份验证。这可能包括源代码、配置文件、数据库备份等敏感信息。攻击者可以利用这些信息进行进一步的攻击，例如，通过下载包含恶意代码的文件，在受害者系统上执行恶意操作，或者通过泄露数据库备份文件，获取用户凭据。由于无需身份验证，该漏洞的攻击难度较低，攻击范围广泛，潜在的危害性极大。

Educational institutions and organizations utilizing BroadLearning eClass are at significant risk. Specifically, those running older, unpatched versions of eClass (≤2.25.10.2.1) are highly vulnerable. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one eClass instance could potentially affect others.

• php: Examine web server access logs for requests to download_attachment.php originating from unusual IP addresses or user agents.

 grep 'download_attachment.php' /var/log/apache2/access.log | grep -v '127.0.0.1' 

• php: Check for the presence of the download_attachment.php file in the templates and home directories of the eClass installation.

 find /var/www/html/eclass -name 'download_attachment.php' 

• generic web: Monitor network traffic for HTTP requests containing the download_attachment.php URL. • generic web: Review eClass configuration files for any unusual or unauthorized access controls related to file downloads.

1. 2019-07-11Disclosure

   disclosure

1. 已保留2019-03-19
2. 发布日期2019-07-11
3. 修改日期2024-09-16
4. EPSS 更新日期2026-04-02

针对 CVE-2019-9886 漏洞，最有效的缓解措施是立即更新 BroadLearning eClass 至 2.25.10.2.1 或更高版本。如果无法立即更新，可以考虑以下临时缓解措施：限制对 download_attachment.php 文件的访问权限，只允许授权用户访问；配置 Web 应用防火墙 (WAF)，阻止包含恶意参数的请求；监控系统日志，检测异常的文件访问行为。更新后，请确认漏洞已修复，可以通过尝试访问受影响的文件，验证是否需要身份验证。