PHPCMS2008 1 0 0 5 2 7 version website management system to download an arbitrary file vulnerability-vulnerability warning-the black bar safety net

2010-06-12T00:00:00
ID MYHACK58:62201027178
Type myhack58
Reporter 佚名
Modified 2010-06-12T00:00:00

Description

Phpcms is a PHP-based+Mysql architecture of the web content management system, it is an open-source PHP development platform. Phpcms uses a modular approach to the development, functional and easy to use to facilitate the expansion, for medium to large sites provide heavyweight website Building Solutions. 3 years, by virtue of the Phpcms team long-term accumulation of extensive Web development and database experience and innovative pursuit of the perfect design concept that makes Phpcms got nearly 1 0 million site recognition, and are increasingly being applied to large and medium-sized business website

phpcms2008sp4 download an arbitrary file vulnerability released after 2, No. 7 The official patch is this: down.php if(preg_match('/\. php/i',$f) strpos($f, ":\\")) showmessage('address error'); //1 2 line No patch before Is this: if(preg_match('/\. php$/',$f) strpos($f, ":\\")) showmessage('address error'); //1 2 line As can be seen in both the difference. But the same is this file: parse_str($a sub K);//Line 8 Know there are better of using the method, look at the file: download.php if($m) $fileurl = trim($s). trim($fileurl); //2 5 lines or so What also does not say that the use of the parse_str method, you can download any file. Moreover, parse_str use, also can use to other places, such as covering some of the following variables.

Exploit:

Registered members Released a download of the articles is not required by the approval Download address: downp&s=include/config. inc. ph&m=1 Then preview, and then point download.