With the Friends of the ICC website customer service system remote code execution vulnerabilities and fixes-vulnerability warning-the black bar safety net

2012-04-12T00:00:00
ID MYHACK58:62201233641
Type myhack58
Reporter 佚名
Modified 2012-04-12T00:00:00

Description

The program

/home/ecccs/web/5107/upload/uploadFlash.php

File there is a serious logic error!

Resulting vulnerabilities generated!

More than a large web site customer service system all you can use this vulnerability to gain administrative privileges!

< ? php

/**

  • uploadFlash.php

  • Flash file upload.

*/

require_once('../global.inc.php');

//operateId=1 upload,operateId=2 www.2cto.com to obtain the address.

$operateId = intval($_REQUEST['operateId']);

if(empty($operateId)) exit;

if($operateId == 1){

$date = date("Ymd");

$dest = $CONFIG->basePath."data/files/".$ date."/";

$COMMON->createDir($dest);

//if (! is_dir($dest)) mkdir($dest, 0 7 7 7);

$nameExt = via strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));

$allowedType = array('jpg', 'gif', 'bmp', 'png', 'jpeg');

if(! in_array($nameExt, $allowedType)){

$msg = 0;

}

if(empty($msg)){

$filename = getmicrotime().'.'.$ nameExt;

$file_url = urlencode($CONFIG->baseUrl.'data/files/'.$ date."/".$ filename);

$filename = $dest.$ filename;

if(empty($_FILES['Filedata']['error'])){

move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);

}

if (file_exists($filename)){

//$msg = 1;

$msg = $file_url;

@chmod($filename, 0 4 4 4);

}else{

$msg = 0;

}

}

$outMsg = "fileUrl=".$ msg;

$_SESSION["eoutmsg"] = $outMsg;

exit;

}else if($operateId == 2){

$outMsg = $_SESSION["eoutmsg"];

if(! empty($outMsg)){

session_unregister("eoutmsg");

echo '&'.$ outMsg;

exit;

}else{

echo "&fileUrl=0";

exit;

}

}

function getmicrotime(){

list($usec, $sec) = explode(" ",microtime());

return ((float)$usec + (float)$sec);

}

?& gt;

Repair solutions:

Speed contact with friends upgrade. This system is not only such a problem. I remember there is one. Temporary not found. You dug yourself.