Lucene search
K

SiteEngine CMS 5.1.0 文件上传漏洞

🗓️ 06 Sep 2010 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 17 Views

SiteEngine CMS 5.1.0 文件上传漏洞, 缺乏文件后缀检

Code

                                                <?php
/*********************/
/*                   */
/*  Version : 5.1.0  */
/*  Author  : RM     */
/*  Comment : 071223 */
/*                   */
/*********************/

function disuploadedfile( $file )
{
		return function_exists( "is_uploaded_file" ) && is_uploaded_file( $file ) ? TRUE : FALSE;
}

function upload( $dir = "", $thumb = "", $avatar = "", $allowed = array( ), $random = 1, $varname = "photo" )
{
		global $db;
		global $tablepre;
		global $extension;
		global $typemaxsize;
		global $allowsetattachperm;
		global $referer;
		global $attachperm;
		global $module;
		global $classid;
		global $config_watermark;
		global $config_watermarkfont;
		global $attachsave;
		global $attachdir;
		global $maxattachsize;
		global $maxsizeperday;
		global $attachextensions;
		global $site_engine_root;
		global $resizewidth;
		global $resizeheight;
		global $uploaddir;
		global $sesettings;
		$attachments = $attacharray = array( );
		if ( is_array( $_FILES ) && !empty( $_FILES ) )  //≈–∂œ…œ¥´Œƒº˛≤Œ ˝Œ™ ˝◊È
		{
				foreach ( $GLOBALS['_FILES'] as $k => $v )  //»°µ√»´æ÷…œ¥´Œƒº˛£¨∂‡Œƒº˛¥¶¿Ì
				{
						foreach ( $GLOBALS['_FILES'][$k] as $key => $var )  
						{
								if ( isset( $_FILES[$k] ) && is_array( $_FILES[$k] ) && $_FILES[$k]['error'] != 4 )
								{
										if ( is_array( $var ) )
										{
												foreach ( $var as $id => $val ) //∂‡Œƒº˛…œ¥´
												{
														$attachments[$k][$id][$key] = $val;
														$attachments[$k][$id]['module'] = $k;
														$attachments[$k][$id]['description'] = $_POST[$k."description"][$id];
												}
										}
										else    //µ•Œƒº˛…œ¥´
										{
												$attachments[$k][0] = $v;
												$attachments[$k][0]['module'] = $k;
												$attachments[$k][0]['description'] = $_POST[$k."description"][$id];
										}
								}
						}
				}
		}
		$newattachments = array( );
		if ( is_array( $attachments ) ) //—È÷§ «∑ÒŒ™ ˝◊È
		{
				foreach ( $attachments as $key => $value )
				{
						foreach ( $value as $k => $v )
						{
								$newattachments[] = $v;  //…œ¥´±‰¡ø◊È∫œ≥… ˝◊È
						}
				}
		}
		foreach ( $newattachments as $key => $attach )
		{
				$attach_saved = false;
				if ( !( $attach['tmp_name'] != "none" && $attach['tmp_name'] && $attach['name'] ) )  //ºŸ»Á…œ¥´Œƒº˛≤ªŒ™ø’
				{
				}
				else
				{
						$attach['name'] = $filename = str_replace( " ", "", $attach['name'] );  //»•µÙŒƒº˛√˚µƒø’∏Ò
						$attach['ext'] = $extension = strtolower( fileext( $attach['name'] ) ); //»°µ√Œƒº˛µƒ∫Û◊∫√˚≤¢±‰≥…–°–¥
						
						//◊™“ÂŒƒº˛∫Û◊∫√˚µƒ’˝‘ڱ̥ԠΩ◊÷∑˚£¨≤¢∆•≈‰∫œ∑®µƒŒƒº˛∫Û◊∫√˚
						if ( $attachextensions && !preg_match( "/(^|\\s|,)".preg_quote( $attach['ext'], "/" )."(\$|\\s|,)/i", $attachextensions ) )  
						{
								//»Áπ˚≤ª∆•≈‰
								message( $GLOBALS['l_site']['uploadexterror'], $referer );
						}
						
						//—È÷§Œƒº˛¥Û–°
						if ( !$attach['size'] || $maxattachsize && $maxattachsize < $attach['size'] )
						{
								message( $GLOBALS['l_site']['toobig'], $referer );
						}
						
						
						if ( $attachsave ) //»´æ÷ø™πÿ£¨π¿º∆ «‘ –Ì¥¢¥Ê
						{
								if ( $dir ) //»Áπ˚…Ë÷√¡À¥¢¥Êƒø¬º
								{
										$attach_subdir = $dir;
								}
								else
								{
										switch ( $attachsave ) //—°‘Ò¥¢¥Êƒ£ Ω£®√ø÷÷ƒ£ Ωµƒƒø¬º√˚≤ª“ª—˘£©
										{
										case 1 :
												$attach_subdir = $module;
												break;
										case 2 :
												$attach_subdir = "ext_".$extension;
												break;
										case 3 :
												$attach_subdir = "month_".date( "ym" );
												break;
										case 4 :
												$attach_subdir = "day_".date( "ymd" );
										}
								}
								$attach_dir = $attachdir."/".$attach_subdir; //µ√µΩ¥Ê¥¢µƒæ¯∂‘¬∑æ∂
								if ( !is_dir( $attachdir."/".$module ) )  //≈–∂œ¥¢¥Êƒ£ Ω1 µƒæ¯∂‘¬∑æ∂
								{
										@mkdir( $attachdir."/".$module, 511 );
										@chmod( $$attachdir."/".$module, 511 );
										@fclose( @fopen( $attachdir."/".$module."/index.htm", "w" ) );
										if ( $module == "photo" && !is_dir( $site_engine_root.$uploaddir."/photo/thumbs" ) )
										{
												@mkdir( $site_engine_root.$uploaddir."/photo/thumbs", 511 );
										}
								}
								if ( !is_dir( $attach_dir ) )	//≈–∂œ¥¢¥Êƒ£ Ω2 µƒæ¯∂‘¬∑æ∂
								{
										@mkdir( $attach_dir, 511 );
										@chmod( $attach_dir, 511 );
										@fclose( @fopen( $attach_dir."/index.htm", "w" ) );
								}
								$attach['attachment'] = $attach_subdir."/";
						}
						else	//≤ª‘ –̥ʥ¢µƒ«Èøˆ£¨ ‹”∞œÏƒø¬ºŒ™ø’
						{
								$attach['attachment'] = "";
						}
						
						
						//Œƒº˛√˚¥¶¿Ì
						$filename = substr( $filename, 0, strlen( $filename ) - strlen( $extension ) - 1 ); //»°≥ˆŒƒº˛µƒ∫Û◊∫√˚÷Æ∫Û µ√≥ˆ’Ê µµƒŒƒº˛√˚
						if ( preg_match( "/([-ˇ]|\\%)+/s", $filename ) )	//»Áπ˚Œƒº˛√˚¥Ê‘⁄∑«∑®◊÷∑˚
						{
								$filename = str_replace( "/", "", base64_encode( substr( $filename, 0, 20 ) ) );	//»°Œƒº˛√˚«∞20Œª ˝£¨”√base64Ω¯––±‡¬Î£¨»ª∫Û∞—◊™“Â∑˚»•µÙ
						}
						if ( $avatar ) //»Áπ˚…Ë÷√¡Àƒ≥∏ˆÕ∑œÒµƒ≤Œ ˝
						{
								//∏Ù“ª∏ˆ±Íµ„∑˚∫≈æÕΩ´ .£®µ„£© ◊™ªØŒ™ _ £®œ¬ªÆœfl£© 
								$attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", $avatar.".gif" );
						}
						else if ( $random == 1 ) //Àʪ˙≤Œ ˝Œ™1
						{
								$attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", substr( $filename, 0, 64 )."_".random( 6 ).".".$extension ); //Àʪ˙…˙≥…Œƒº˛√˚
						}
						else
						{
								$attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", substr( $filename, 0, 64 ).".".$extension );
						}
						$target = $attachdir."/".stripslashes( $attach['attachment'] );
						if ( copy( $attach['tmp_name'], $target ) || function_exists( "move_uploaded_file" ) && move_uploaded_file( $attach['tmp_name'], $target ) )
						{
								$attach_saved = true;
						}
						if ( !$attach_saved && is_readable( $attach['tmp_name'] ) )
						{
								@$fp = @fopen( $attach, "rb" );
								@flock( $fp, 2 );
								@$attachedfile = @fread( $fp, $attach['size'] );
								@fclose( $fp );
								@$fp = @fopen( $target, "wb" );
								@flock( $fp, 2 );
								if ( @fwrite( $fp, $attachedfile ) )
								{
										$attach_saved = true;
								}
								@chmod( $site_engine_root.$uploaddir.$attach['attachment'], 511 );
								@fclose( $fp );
						}
						if ( $attach_saved )
						{
								if ( is_array( $attach ) && $thumb == 1 && $attach['size'] )
								{
										do
										{
												require_once( $site_engine_root."lib/photo.php" );
												$exif = new phpexifreader( $site_engine_root.$uploaddir.$attach['attachment'] );
												$exif->processfile( );
												$photoinfo = $exif->getimageinfo( );
												if ( ( strtolower( $attach['type'] ) == "image/pjpeg" || $attach['type'] == "image/jpeg" ) && function_exists( "imagecreatefromjpeg" ) )
												{
														$im = @imagecreatefromjpeg( $attach['tmp_name'] );
												}
												else
												{
														if ( $var['type'] == "image/x-png" && function_exists( "imagecreatefrompng" ) )
														{
																$im = @imagecreatefrompng( $attach['tmp_name'] );
														}
														else if ( !( $var['type'] == "image/gif" && function_exists( "imagecreatefromgif" ) ) )
														{
																break;
														}
														else
														{
																$im = @imagecreatefromgif( $attach['tmp_name'] );
																continue;
														}
												}
												$name = "";
												if ( $im )
												{
														$name = resizeimage( $im, $GLOBALS['photosystem']['maxsize'], $GLOBALS['photosystem']['maxsize'], $attach['attachment'], 1 );
												}
												if ( $sesettings['system']['photosize'] )
												{
														$name1 = resizeimage( $im, $sesettings['system']['photosize'], $sesettings['system']['photosize'], $attach['attachment'] );
														imagedestroy( $im );
												}
												if ( is_array( $photoinfo ) && $photosystem['exif'] == 1 )
												{
														foreach ( $photoinfo as $k => $v )
														{
																$k = strtolower( $k );
																$attach[$k] = shtmlspecialchars( $v );
														}
												}
												$attach['thumb'] = $name;
												$attach[$key] = $attach['module'];
										} while ( 0 );
								}
								$img_info = @getimagesize( $target );
								if ( in_array( $attach['ext'], array( "jpg", "gif", "png", "bmp" ) ) && function_exists( "getimagesize" ) && !getimagesize( $target ) && $admincp != 1 )
								{
										@unlink( $target );
								}
								else
								{
										if ( in_array( $attach['ext'], array( "jpg", "gif", "png" ) ) && function_exists( "getimagesize" ) && function_exists( "imagettftext" ) && @getimagesize( $target ) && isset( $_POST[$attach['module']."_watermark"] ) && intval( $_POST[$attach['module']."_watermark"] ) == 1 )
										{
												require_once( $site_engine_root."lib/watermark.php" );
												$tmp_image = new gimage( );
												if ( !ereg( "^http://", $config_watermark ) )
												{
														$tmp_image->wm_text = $config_watermark;
												}
												else
												{
														$tmp_image->wm_image_name = $config_watermark;
												}
												$tmp_image->wm_text_font = $site_engine_root."data/fonts/".$config_watermarkfont;
												$tmp_image->save_file = $target;
												$tmp_image->create( $target );
										}
										$attach['perm'] = $allowsetattachperm ? $attachperm[$key] : 0;
										$attach['key'] = $key;
										$attacharray[] = $attach;
								}
						}
						else
						{
								message( $GLOBALS['l_site']['saveerror'], $referer );
						}
				}
		}
		unset( $extension );
		return !empty( $attacharray ) ? $attacharray : false;
}

function resizeimage( $im, $maxwidth, $maxheight, $name, $isthumb = "" )
{
		global $module;
		global $attachdir;
		global $site_engine_root;
		if ( $isthumb == 1 )
		{
				$name = str_replace( $module, $module."/thumbs", $name );
		}
		else
		{
				$name = str_replace( $module, $module, $name );
		}
		$width = imagesx( $im );
		$height = imagesy( $im );
		$resizewidth = $resizeheight = false;
		if ( $maxwidth && $maxwidth < $width || $maxheight && $maxheight < $height )
		{
				if ( $maxwidth && $maxwidth < $width )
				{
						$widthratio = $maxwidth / $width;
						$resizewidth = true;
				}
				if ( $maxheight && $maxheight < $height )
				{
						$heightratio = $maxheight / $height;
						$resizeheight = true;
				}
				if ( $resizewidth && $resizeheight )
				{
						if ( $widthratio < $heightratio )
						{
								$ratio = $widthratio;
						}
						else
						{
								$ratio = $heightratio;
						}
				}
				else if ( $resizewidth )
				{
						$ratio = $widthratio;
				}
				else if ( $resizeheight )
				{
						$ratio = $heightratio;
				}
				$newwidth = $width * $ratio;
				$newheight = $height * $ratio;
				if ( function_exists( "imagecopyresampled" ) )
				{
						$newim = imagecreatetruecolor( $newwidth, $newheight );
						imagecopyresampled( $newim, $im, 0, 0, 0, 0, $newwidth, $newheight, $width, $height );
				}
				else
				{
						$newim = imagecreate( $newwidth, $newheight );
						imagecopyresized( $newim, $im, 0, 0, 0, 0, $newwidth, $newheight, $width, $height );
				}
				@imagejpeg( $newim, $attachdir."/".$name );
				imagedestroy( $newim );
		}
		else
		{
				@imagejpeg( $im, $attachdir."/".$name );
		}
		return $name;
}

if ( !defined( "IN_SITEENGINE" ) )
{
		exit( "Access Denied" );
}
$maxgroupcache = groupcache( $usergroup, array( "maxattachsize", "attachextensions" ), 1 );
$maxattachsize = $maxgroupcache['maxattachsize'] ? $maxgroupcache['maxattachsize'] : 1024000000;
$attachsave = 1;
$attachdir = $site_engine_root.$uploaddir;
eval( "\$header = \"".$tpl->get( "header", $templates, $language )."\";" );
$debuginfo = gettotaltime( );
eval( "\$footer = \"".$tpl->get( "footer", $templates, $language )."\";" );
if ( !empty( $usergroup ) && $maxgroupcache['attachextensions'] )
{
		$attachextensions = $maxgroupcache['attachextensions'];
}
?>

                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

06 Sep 2010 00:00Current
7High risk
Vulners AI Score7
17