phpcms 2 0 0 8 sp4 explosive paths and arbitrary file deletion vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201028029
Type myhack58
Reporter 佚名
Modified 2010-10-05T00:00:00


A page, not as fault-tolerant processing result in the explosion path, while the filter is not strict lead to a malicious attacker can delete the website of any of the files

corpandresize/config. inc. php definition:

$tmp = $_COOKIE['tmp'];

define("TMP_PATH", $tmp);

In corpandresize/process. php with to the TMP_PATH, meet in front of a series of conditions that are well met, are user-controllable:

7 6: @unlink(TMP_PATH.'/'.$ thumbfile);

No check the$_COOKIE['tmp']directly into the unlink (), as long as the modified cookie you can delete the website of any file.

google a bit and found online someone in year 5 month disclosed the same directory as another file caused the explosion path problem but the analysis was not detailed enough, the use of the method is also slightly troublesome, given here use way more simple.

Registered user login access


In this case broke the absolute path when collecting information, there's nothing to use.

In the cookies add a sentence or modifying the original value tmp=../index. php%0 0 You can delete the home file

The test of the time to find the official demo station of unsuccessful is... However, a local test is ok the latest official installation packages on the Internet for large test station, a dozen a quasi~

Starters: CnCxzSec(failure Aberdeen)