Ruby on Rails: File writing by Directory traversal at actionpack-page_caching and RCE by it

I found a directory traversal in actionpack-pagecaching. Some code may lead to RCE. https://github.com/rails/actionpack-pagecaching/blob/master/lib/actioncontroller/caching/pages.rbL143 ruby def cachefilepath, extension if path.empty? || path = %r\A/+\z name = "/index" else name =...

kingcms任意php文件删除（可截断时升级为任意文件删除 ）

简要描述： 设计不当导致任意php文件删除 详细说明： 漏洞文件：global.php 好像是所有php文件都会调用该文件，该文件如下代码 //当cachepath值被提交过来的时候，删除对应的临时缓存文件 if!empty$POST'cachepath' $cachepath=ROOT.PATHCACHE.'/'.$POST'cachepath'.'.php'; ifisfile$cachepath unlink$cachepath;...