phpcms 2 0 0 8 sp4 explosive paths and arbitrary file deletion vulnerability-vulnerability warning-the black bar safety net

2010-10-05T00:00:00
ID MYHACK58:62201028029
Type myhack58
Reporter 佚名
Modified 2010-10-05T00:00:00

Description

A page, not as fault-tolerant processing result in the explosion path, while the filter is not strict lead to a malicious attacker can delete the website of any of the files

corpandresize/config. inc. php definition:

$tmp = $_COOKIE['tmp'];

define("TMP_PATH", $tmp);

In corpandresize/process. php with to the TMP_PATH, meet in front of a series of conditions that are well met, are user-controllable:

7 6: @unlink(TMP_PATH.'/'.$ thumbfile);

No check the$_COOKIE['tmp']directly into the unlink (), as long as the modified cookie you can delete the website of any file.

google a bit and found online someone in year 5 month disclosed the same directory as another file caused the explosion path problem http://lcx.cc/?FoxNews=123.html but the analysis was not detailed enough, the use of the method is also slightly troublesome, given here use way more simple.

Registered user login access

http://localhost/phpcms/corpandresize/process.php?pic=../images/logo.gif

In this case broke the absolute path when collecting information, there's nothing to use.

In the cookies add a sentence or modifying the original value tmp=../index. php%0 0 You can delete the home file

The test of the time to find the official demo station of unsuccessful is... However, a local test is ok the latest official installation packages on the Internet for large test station, a dozen a quasi~

Starters: CnCxzSec(failure Aberdeen)