Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
99 lines (78 sloc) 2.81 KB
There is a Any PHP Code Execution security vulnerablity in YXcms 1.4.7
Any PHP Code Execution vulnerability in /WWW/YXcmsApp1.4.7/protected/apps/appmanage/controller/indexController.php allow remote attackers to exeute any PHP code.
You should be a Administrator(Obtain passwords and accounts via weak passwords or social engineering)
The Cause of the vulnerability:
There is a bug function in line 203th of this script, as shown in the following code:
public function onlineinstall(){
$url = $_GET['url'];//在线安装地址
if( empty($url) ){
$content = file_get_contents($url);
if( empty($content) ){
$zip_file = BASE_PATH . 'cache/tmp/' .md5($url) .'.zip';
if( file_put_contents($zip_file, $content) ){
and this in line 79th of this script, as shown in the following code:
public function import($zip_file=''){
if( !$this->isPost() ){
return true;
if($_FILES['file']['size'] < 0){
$zip_file = $_FILES['file']['tmp_name'];
$zip_dir = BASE_PATH . 'cache/tmp/' .md5($zip_file) .'/';
if(substr($zip_dir,0,1)=="/") $zip_dir='.'.$zip_dir; //无法获得绝对路径情况
$zip = new Zip();
$zip->decompress($zip_file, $zip_dir);
$app = '';
$arr = glob($zip_dir .'*/config.php');
if( !empty($arr) ){
if( preg_match('#/([a-z0-9]+)/config.php#', $arr[0], $matches)){
$app = $matches[1];
if( empty($app) ){
$app_path = BASE_PATH . 'apps/' . $app . '/';
if( is_dir($app_path) ){
$this->error($app .'应用已存在,请先卸载!');
copy_dir($zip_dir . $app , $app_path);
$_GET['app'] = $app;
First we should have a zip file on any website which containing a folder, and in this folder we should have a file named 'config.php'
this folder is like this:
| |
| +-----
We can write any PHP code in this config.php.
Then visit the link
, we can see our PHP code has been executed in a short time
Repair method:
check the evil code in config.php