phpcms 2 0 0 8 sp4 explosive paths and arbitrary file deletion vulnerabilities and fixes-vulnerability warning-the black bar safety net

2011-03-01T00:00:00
ID MYHACK58:62201129592
Type myhack58
Reporter 佚名
Modified 2011-03-01T00:00:00

Description

phpcms 2 0 0 8 sp4 explosive paths and arbitrary file deletion vulnerability and fix

Affected versions: phpcms 2 0 0 8 sp4 Official address: www.phpcms.cn Vulnerability type: explosive paths and arbitrary file deletion Vulnerability Description: a certain page, not as fault-tolerant processing result in the explosion path, while the filter is not strict lead to a malicious attacker can delete the website of any of the files Detailed description: corpandresize/config. inc. php definition: $tmp = $_COOKIE['tmp']; define(“TMP_PATH”, $tmp); In corpandresize/process. php with to the TMP_PATH, meet in front of a series of conditions that are well met, are user-controllable: 7 6: @unlink(TMP_PATH.’/’.$ thumbfile); No check the$_COOKIE['tmp']directly into the unlink (), as long as the modified cookie you can delete the website of any file. google a bit and found online someone in year 5 month disclosed the same directory as another file caused the explosion path problem<http://www.hkmjj.com/?FoxNews=123.html>, but the analysis was not detailed enough, the use of the method is also slightly troublesome, given here use way more simple.

Vulnerability to prove: registered users after landing access <http://www.hkmjj.com/phpcms/corpandresize/process.php?pic=../images/logo.gif> In this case broke the absolute path when collecting information, there's nothing to use. In the cookies add a sentence or modifying the original value tmp=../index. php%0 0 You can delete the home file The test of the time to find the official demo station of unsuccessful is... However, a local test is ok the latest official installation packages on the Internet for large test station, a dozen a quasi~