PHPMyWind CMS v4. 6. 3 Beta 0day-vulnerability warning-the black bar safety net

ID MYHACK58:62201339047
Type myhack58
Reporter 佚名
Modified 2013-05-31T00:00:00


BUG-1: permission to bypass

File location: goodsshow.php

Problem code:

2 0 //Do not allow visitors under the single jump landing 2 1 if(empty($_COOKIE['username'])) /just a simple determination of whether or not it is empty 2 2 { 2 3 header('location:member. php? c=login'); 2 4 exit(); 2 5 } 2 6

Brief description: username is cookie get, as long as we let him not empty you can skip the registration directly to the tourists the identity of the order.

Using: Firefox cookie plug-ins add yourself a username and assign a value.

BUG-2: not authorized to access

File location:/data/alipay/index.php

Description: in the name behind plus the above URL can be accessed directly to PayPal instant account transaction Interface The Fast Track.

The code behind is the background to upload some code:

5 2 //forced to define some file types prohibited upload 5 3 if(in_array($tempfile_ext, explode('|', 'php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml'))) 5 4 { 5 5 return 'your uploaded file type is: ['.$ tempfile_ext.'], the The class file is not allowed by the background upload!'; 5 6 }

The above is a mandatory limit Upload File Types. This is obviously a problem, if you can enter the background, then take the shell is smooth. Because the above is a blacklist, not a whitelist. There are many suffixes is that you can upload~! Later I will not see. Very late sleep-in! 2 0 1 3 year 5 month 2 8 day 1:4 7:3 9

PS: long time no play audit, write is not very good, large cattle do not blame to you!