La Cala is another sub-Station command execution vulnerabilities included cross-site threat-vulnerability warning-the black bar safety net

2013-07-02T00:00:00
ID MYHACK58:62201339479
Type myhack58
Reporter 佚名
Modified 2013-07-02T00:00:00

Description

Brief description:

Test La Cala a sub-Station, and found the pull Station using THINKPHP open source framework, there is still some risk.

Does not affect the customer data, the hazard rating.

Detailed description:

1 Nginx service end is not a reasonable configuration to cause arbitrary PHP script command execution risk

http://net.lakala.com/robots.txt/a.php

Plain text as the PHP implementation.

!

The backend to use ThinkPHP

!

ThinkPHP XSS

http://net.lakala.com/View/1%3Cimg%20src=logo.gif%20onerror=alert%28document.domain%29%3E/ac/RA000851/cc/RC0002700

!

Repair solutions:

Update Nginx configuration to fix command execution vulnerability.