Lucene search
K

SiteEngine 博卡网站引擎管理系统5.1.0 存在文件上传漏洞

🗓️ 14 Oct 2010 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 19 Views

SiteEngine CMS 5.1.0文件上传漏洞检查和处理存在问

Code

                                                 <?php  
/*********************/  
/*                   */  
/*  Version : 5.1.0  */  
/*  Author  : RM     */  
/*  Comment : 071223 */  
/*                   */  
/*********************/  
  
function disuploadedfile( $file )  
{  
        return function_exists( "is_uploaded_file" ) && is_uploaded_file( $file ) ? TRUE : FALSE;  
}  
  
function upload( $dir = "", $thumb = "", $avatar = "", $allowed = array( ), $random = 1, $varname = "photo" )  
{  
        global $db;  
        global $tablepre;  
        global $extension;  
        global $typemaxsize;  
        global $allowsetattachperm;  
        global $referer;  
        global $attachperm;  
        global $module;  
        global $classid;  
        global $config_watermark;  
        global $config_watermarkfont;  
        global $attachsave;  
        global $attachdir;  
        global $maxattachsize;  
        global $maxsizeperday;  
        global $attachextensions;  
        global $site_engine_root;  
        global $resizewidth;  
        global $resizeheight;  
        global $uploaddir;  
        global $sesettings;  
        $attachments = $attacharray = array( );  
        if ( is_array( $_FILES ) && !emptyempty( $_FILES ) )  //≈–??…?¥′??o?≤? ??? ??è  
        {  
                foreach ( $GLOBALS['_FILES'] as $k => $v )  //?°μ√?′?÷…?¥′??o?£¨????o?¥??ì  
                {  
                        foreach ( $GLOBALS['_FILES'][$k] as $key => $var )    
                        {  
                                if ( isset( $_FILES[$k] ) && is_array( $_FILES[$k] ) && $_FILES[$k]['error'] != 4 )  
                                {  
                                        if ( is_array( $var ) )  
                                        {  
                                                foreach ( $var as $id => $val ) //????o?…?¥′  
                                                {  
                                                        $attachments[$k][$id][$key] = $val;  
                                                        $attachments[$k][$id]['module'] = $k;  
                                                        $attachments[$k][$id]['description'] = $_POST[$k."description"][$id];  
                                                }  
                                        }  
                                        else    //μ???o?…?¥′  
                                        {  
                                                $attachments[$k][0] = $v;  
                                                $attachments[$k][0]['module'] = $k;  
                                                $attachments[$k][0]['description'] = $_POST[$k."description"][$id];  
                                        }  
                                }  
                        }  
                }  
        }  
        $newattachments = array( );  
        if ( is_array( $attachments ) ) //—è÷§ ?∑ò?? ??è  
        {  
                foreach ( $attachments as $key => $value )  
                {  
                        foreach ( $value as $k => $v )  
                        {  
                                $newattachments[] = $v;  //…?¥′±‰???è∫?≥… ??è  
                        }  
                }  
        }  
        foreach ( $newattachments as $key => $attach )  
        {  
                $attach_saved = false;  
                if ( !( $attach['tmp_name'] != "none" && $attach['tmp_name'] && $attach['name'] ) )  //o??á…?¥′??o?≤a???’  
                {  
                }  
                else  
                {  
                        $attach['name'] = $filename = str_replace( " ", "", $attach['name'] );  //??μù??o?√?μ??’∏ò  
                        $attach['ext'] = $extension = strtolower( fileext( $attach['name'] ) ); //?°μ√??o?μ?∫??∫√?≤¢±‰≥…–°–¥  
                          
                        //??“???o?∫??∫√?μ?’?‘ú±ì¥? Ω?÷∑?£¨≤¢??≈‰∫?∑?μ???o?∫??∫√?  
                        if ( $attachextensions && !preg_match( "/(^|\\s|,)".preg_quote( $attach['ext'], "/" )."(\$|\\s|,)/i", $attachextensions ) )    
                        {  
                                //?áπ?≤a??≈‰  
                                message( $GLOBALS['l_site']['uploadexterror'], $referer );  
                        }  
                          
                        //—è÷§??o?¥?–°  
                        if ( !$attach['size'] || $maxattachsize && $maxattachsize < $attach['size'] )  
                        {  
                                message( $GLOBALS['l_site']['toobig'], $referer );  
                        }  
                          
                          
                        if ( $attachsave ) //?′?÷??π?£¨π?o? ?‘ –쥢¥ê  
                        {  
                                if ( $dir ) //?áπ?…?÷√?ॢ¥ê???o  
                                {  
                                        $attach_subdir = $dir;  
                                }  
                                else  
                                {  
                                        switch ( $attachsave ) //—°‘ò¥¢¥ê?£ Ω£?√?÷÷?£ Ωμ????o√?≤a“a—?£?  
                                        {  
                                        case 1 :  
                                                $attach_subdir = $module;  
                                                break;  
                                        case 2 :  
                                                $attach_subdir = "ext_".$extension;  
                                                break;  
                                        case 3 :  
                                                $attach_subdir = "month_".date( "ym" );  
                                                break;  
                                        case 4 :  
                                                $attach_subdir = "day_".date( "ymd" );  
                                        }  
                                }  
                                $attach_dir = $attachdir."/".$attach_subdir; //μ√μΩ¥ê¥¢μ??ˉ?‘?∑??  
                                if ( !is_dir( $attachdir."/".$module ) )  //≈–??¥¢¥ê?£ Ω1 μ??ˉ?‘?∑??  
                                {  
                                        @mkdir( $attachdir."/".$module, 511 );  
                                        @chmod( $$attachdir."/".$module, 511 );  
                                        @fclose( @fopen( $attachdir."/".$module."/index.htm", "w" ) );  
                                        if ( $module == "photo" && !is_dir( $site_engine_root.$uploaddir."/photo/thumbs" ) )  
                                        {  
                                                @mkdir( $site_engine_root.$uploaddir."/photo/thumbs", 511 );  
                                        }  
                                }  
                                if ( !is_dir( $attach_dir ) )   //≈–??¥¢¥ê?£ Ω2 μ??ˉ?‘?∑??  
                                {  
                                        @mkdir( $attach_dir, 511 );  
                                        @chmod( $attach_dir, 511 );  
                                        @fclose( @fopen( $attach_dir."/index.htm", "w" ) );  
                                }  
                                $attach['attachment'] = $attach_subdir."/";  
                        }  
                        else    //≤a‘ –ì¥ê¥¢μ??è??£¨ ?”∞?????o???’  
                        {  
                                $attach['attachment'] = "";  
                        }  
                          
                          
                        //??o?√?¥??ì  
                        $filename = substr( $filename, 0, strlen( $filename ) - strlen( $extension ) - 1 ); //?°≥???o?μ?∫??∫√?÷?∫? μ√≥?’ê μμ???o?√?  
                        if ( preg_match( "/([-ˇ]|\\%)+/s", $filename ) )   //?áπ???o?√?¥ê‘?∑?∑??÷∑?  
                        {  
                                $filename = str_replace( "/", "", base64_encode( substr( $filename, 0, 20 ) ) );    //?°??o?√??∞20?a ?£¨”√base64Ωˉ––±???£¨?a∫?∞—??“?∑???μù  
                        }  
                        if ( $avatar ) //?áπ?…?÷√?à?≥∏??∑?òμ?≤? ?  
                        {  
                                //∏ù“a∏?±íμ?∑?∫≈??Ω′ .£?μ?£? ??a??? _ £???a???£?   
                                $attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", $avatar.".gif" );  
                        }  
                        else if ( $random == 1 ) //àêa˙≤? ???1  
                        {  
                                $attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", substr( $filename, 0, 64 )."_".random( 6 ).".".$extension ); //àêa˙…˙≥…??o?√?  
                        }  
                        else  
                        {  
                                $attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", substr( $filename, 0, 64 ).".".$extension );  
                        }  
                        $target = $attachdir."/".stripslashes( $attach['attachment'] );  
                        if ( copy( $attach['tmp_name'], $target ) || function_exists( "move_uploaded_file" ) && move_uploaded_file( $attach['tmp_name'], $target ) )  
                        {  
                                $attach_saved = true;  
                        }  
                        if ( !$attach_saved && is_readable( $attach['tmp_name'] ) )  
                        {  
                                @$fp = @fopen( $attach, "rb" );  
                                @flock( $fp, 2 );  
                                @$attachedfile = @fread( $fp, $attach['size'] );  
                                @fclose( $fp );  
                                @$fp = @fopen( $target, "wb" );  
                                @flock( $fp, 2 );  
                                if ( @fwrite( $fp, $attachedfile ) )  
                                {  
                                        $attach_saved = true;  
                                }  
                                @chmod( $site_engine_root.$uploaddir.$attach['attachment'], 511 );  
                                @fclose( $fp );  
                        }  
                        if ( $attach_saved )  
                        {  
                                if ( is_array( $attach ) && $thumb == 1 && $attach['size'] )  
                                {  
                                        do  
                                        {  
                                                require_once( $site_engine_root."lib/photo.php" );  
                                                $exif = new phpexifreader( $site_engine_root.$uploaddir.$attach['attachment'] );  
                                                $exif->processfile( );  
                                                $photoinfo = $exif->getimageinfo( );  
                                                if ( ( strtolower( $attach['type'] ) == "image/pjpeg" || $attach['type'] == "image/jpeg" ) && function_exists( "imagecreatefromjpeg" ) )  
                                                {  
                                                        $im = @imagecreatefromjpeg( $attach['tmp_name'] );  
                                                }  
                                                else  
                                                {  
                                                        if ( $var['type'] == "image/x-png" && function_exists( "imagecreatefrompng" ) )  
                                                        {  
                                                                $im = @imagecreatefrompng( $attach['tmp_name'] );  
                                                        }  
                                                        else if ( !( $var['type'] == "image/gif" && function_exists( "imagecreatefromgif" ) ) )  
                                                        {  
                                                                break;  
                                                        }  
                                                        else  
                                                        {  
                                                                $im = @imagecreatefromgif( $attach['tmp_name'] );  
                                                                continue;  
                                                        }  
                                                }  
                                                $name = "";  
                                                if ( $im )  
                                                {  
                                                        $name = resizeimage( $im, $GLOBALS['photosystem']['maxsize'], $GLOBALS['photosystem']['maxsize'], $attach['attachment'], 1 );  
                                                }  
                                                if ( $sesettings['system']['photosize'] )  
                                                {  
                                                        $name1 = resizeimage( $im, $sesettings['system']['photosize'], $sesettings['system']['photosize'], $attach['attachment'] );  
                                                        imagedestroy( $im );  
                                                }  
                                                if ( is_array( $photoinfo ) && $photosystem['exif'] == 1 )  
                                                {  
                                                        foreach ( $photoinfo as $k => $v )  
                                                        {  
                                                                $k = strtolower( $k );  
                                                                $attach[$k] = shtmlspecialchars( $v );  
                                                        }  
                                                }  
                                                $attach['thumb'] = $name;  
                                                $attach[$key] = $attach['module'];  
                                        } while ( 0 );  
                                }  
                                $img_info = @getimagesize( $target );  
                                if ( in_array( $attach['ext'], array( "jpg", "gif", "png", "bmp" ) ) && function_exists( "getimagesize" ) && !getimagesize( $target ) && $admincp != 1 )  
                                {  
                                        @unlink( $target );  
                                }  
                                else  
                                {  
                                        if ( in_array( $attach['ext'], array( "jpg", "gif", "png" ) ) && function_exists( "getimagesize" ) && function_exists( "imagettftext" ) && @getimagesize( $target ) && isset( $_POST[$attach['module']."_watermark"] ) && intval( $_POST[$attach['module']."_watermark"] ) == 1 )  
                                        {  
                                                require_once( $site_engine_root."lib/watermark.php" );  
                                                $tmp_image = new gimage( );  
                                                if ( !ereg( "^http://", $config_watermark ) )  
                                                {  
                                                        $tmp_image->wm_text = $config_watermark;  
                                                }  
                                                else  
                                                {  
                                                        $tmp_image->wm_image_name = $config_watermark;  
                                                }  
                                                $tmp_image->wm_text_font = $site_engine_root."data/fonts/".$config_watermarkfont;  
                                                $tmp_image->save_file = $target;  
                                                $tmp_image->create( $target );  
                                        }  
                                        $attach['perm'] = $allowsetattachperm ? $attachperm[$key] : 0;  
                                        $attach['key'] = $key;  
                                        $attacharray[] = $attach;  
                                }  
                        }  
                        else  
                        {  
                                message( $GLOBALS['l_site']['saveerror'], $referer );  
                        }  
                }  
        }  
        unset( $extension );  
        return !emptyempty( $attacharray ) ? $attacharray : false;  
}  
  
function resizeimage( $im, $maxwidth, $maxheight, $name, $isthumb = "" )  
{  
        global $module;  
        global $attachdir;  
        global $site_engine_root;  
        if ( $isthumb == 1 )  
        {  
                $name = str_replace( $module, $module."/thumbs", $name );  
        }  
        else  
        {  
                $name = str_replace( $module, $module, $name );  
        }  
        $width = imagesx( $im );  
        $height = imagesy( $im );  
        $resizewidth = $resizeheight = false;  
        if ( $maxwidth && $maxwidth < $width || $maxheight && $maxheight < $height )  
        {  
                if ( $maxwidth && $maxwidth < $width )  
                {  
                        $widthratio = $maxwidth / $width;  
                        $resizewidth = true;  
                }  
                if ( $maxheight && $maxheight < $height )  
                {  
                        $heightratio = $maxheight / $height;  
                        $resizeheight = true;  
                }  
                if ( $resizewidth && $resizeheight )  
                {  
                        if ( $widthratio < $heightratio )  
                        {  
                                $ratio = $widthratio;  
                        }  
                        else  
                        {  
                                $ratio = $heightratio;  
                        }  
                }  
                else if ( $resizewidth )  
                {  
                        $ratio = $widthratio;  
                }  
                else if ( $resizeheight )  
                {  
                        $ratio = $heightratio;  
                }  
                $newwidth = $width * $ratio;  
                $newheight = $height * $ratio;  
                if ( function_exists( "imagecopyresampled" ) )  
                {  
                        $newim = imagecreatetruecolor( $newwidth, $newheight );  
                        imagecopyresampled( $newim, $im, 0, 0, 0, 0, $newwidth, $newheight, $width, $height );  
                }  
                else  
                {  
                        $newim = imagecreate( $newwidth, $newheight );  
                        imagecopyresized( $newim, $im, 0, 0, 0, 0, $newwidth, $newheight, $width, $height );  
                }  
                @imagejpeg( $newim, $attachdir."/".$name );  
                imagedestroy( $newim );  
        }  
        else  
        {  
                @imagejpeg( $im, $attachdir."/".$name );  
        }  
        return $name;  
}  
  
if ( !defined( "IN_SITEENGINE" ) )  
{  
        exit( "Access Denied" );  
}  
$maxgroupcache = groupcache( $usergroup, array( "maxattachsize", "attachextensions" ), 1 );  
$maxattachsize = $maxgroupcache['maxattachsize'] ? $maxgroupcache['maxattachsize'] : 1024000000;  
$attachsave = 1;  
$attachdir = $site_engine_root.$uploaddir;  
eval( "\$header = \"".$tpl->get( "header", $templates, $language )."\";" );  
$debuginfo = gettotaltime( );  
eval( "\$footer = \"".$tpl->get( "footer", $templates, $language )."\";" );  
if ( !emptyempty( $usergroup ) && $maxgroupcache['attachextensions'] )  
{  
        $attachextensions = $maxgroupcache['attachextensions'];  
}  
?>  
                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

14 Oct 2010 00:00Current
7High risk
Vulners AI Score7
19