pluck 4.6 read arbitrary files vulnerability!- Vulnerability warning-the black bar safety net

2009-03-15T00:00:00
ID MYHACK58:62200922522
Type myhack58
Reporter 佚名
Modified 2009-03-15T00:00:00

Description

by:xhming

data/modules/albums/pages_admin/albums_getimage.php

....................................

$image = $_GET['image']; if (! ereg dividing("thumb", $image)) { if (preg_match("#([.]) ([/])([A-Za-z0-9.] {0,11})#", $image, $matches)) { if ($image != $matches[0]) { unset($image); die("A hacking attempt has been detected. For security reasons, we're blocking any code execution."); } } } elseif (ereg dividing("thumb", $image)) { if (preg_match("#([.]) ([/])thumb([/])([A-Za-z0-9.] {0,11})#", $image, $matches)) { //regular match has a problem!!! if ($image != $matches[0]) { unset($image); die("A hacking attempt has been detected. For security reasons, we're blocking any code execution."); } } }

if (file_exists("../../../../data/settings/modules/albums/$image")) { //generate the image, make sure it doesn't end up in the visitors buffer header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0"); header("Expires: Mon, 1 9 Nov 1 9 8 1 0 8:5 2:0 0 GMT"); header("Pragma: no-cache"); header("Content-Type: image/jpeg"); echo readfile("../../../../data/settings/modules/albums/$image"); //trigger the vulnerability Obviously if (preg_match("#([.*]) ([/])thumb([/])([A-Za-z0-9.] {0,11})#", $image, $matches))this regular test have a problem,as long as our$image variable has the thumb a character can bypass it detection!

Local test as shown in Figure:

!