Note the dog design defect causes can delete the website of any picture-vulnerability warning-the black bar safety net

2012-04-21T00:00:00
ID MYHACK58:62201233722
Type myhack58
Reporter 佚名
Modified 2012-04-21T00:00:00

Description

The path to improper handling resulting in a registered user can delete the site on any picture

Detailed description:

To register a user, after login click on upload avatar, for example, the address is:

http://www.badguest.cn /jishigou30s/index. php? mod=settings&code=face

In the end add&temp_face=././images/noavatar.gif then access, and then my avatar that will load this image, click on the following“confirmation”, the Avatar of the wood are modified successfully, but noavatar. gif this file was deleted.

Vulnerability to prove:

Just find a memo Dog Station can be proved. Image need to have writable permissions

Repair solutions:

For the reception of the input path are forced to judge and filter

Since the site in the upload avatar is complete delete the temporary files of the judge is not strict, resulting in this vulnerability, thanks for the feedback, it has provided the appropriate fixes, and update-related download.

See: the http://cenwor.com/thread-12847-1-1.html

Author Moyo