Espcms V5. 6. 1 3. 0 4. 2 2 UTF8 the official version of the background logic validation error vulnerability of the 2/N-vulnerability warning-the black bar safety net

2013-05-20T00:00:00
ID MYHACK58:62201338864
Type myhack58
Reporter Code_Sec@乌云
Modified 2013-05-20T00:00:00

Description

Brief description:

System backend permission check logic problems, resulting in the background of a module function is bypassed and unauthorized access

Detailed description:

后台 管理员 权限 校验 在 文件 \public\class_connector.php:

function admin_purview() {

if ($this->fun->accept('archive', 'R') == 'filemanage' && $this->fun->accept('action', 'R') == 'batupfilesave') {

$ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'G');

$esp_powerlist = $this->fun->accept('esp_powerlist', 'G');

$gettype = false;

} else {

$ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C');

$esp_powerlist = $this->fun->accept('esp_powerlist', 'C');

$gettype = true;

}

$arr_purview = explode('|', $this->fun->eccode($ecisp_admininfo, 'DECODE', db_pscode));

$this->esp_powerlist = explode('|', $this->fun->eccode($esp_powerlist, 'DECODE', db_pscode));

list($this->esp_adminuserid, $this->esp_username, $this->esp_password, $this->esp_useragent, $this->esp_powerid, $this->esp_inputclassid, $this->esp_softurl) = $arr_purview;

if ($gettype) {

if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl) {

$condition = 0;

} else {

$condition = 1;

}

} else {

if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_ClassURL) != $this->esp_softurl) {

$condition = 0;

} else {

$condition = 1;

}

}

if ($condition == 0) {

if ($this->fun->accept('archive', 'R') != 'adminuser' && $this->fun->accept('action', 'R') != 'login') {

header('location: index. php? archive=adminuser&action=login');

exit();

}

} else {

if ($condition == 1 && $this->fun->accept('point', 'R') == " && $this->fun->accept('archive', 'R') == " && $this->fun->accept('action', 'R') == ") {

header('location: index. php? archive=management&action=tab&loadfun=mangercenter&out=tabcenter');

exit();

}

}

Logic verification problem exists:

if ($condition == 0) {

if ($this->fun->accept('archive', 'R') != 'adminuser' && $this->fun->accept('action', 'R') != 'login') {

header('location: index. php? archive=adminuser&action=login');

exit();

[1] [2] next