Description
-
Vulnerability Name: Arbitrary File Read
-
Date of Discovery: 24/2/2022
-
Product version: 74cmsSEv3.4.1 DownloadLink : https://www.74cms.com/downloadse/show/id/62.html
-
Author: N1ce
-
Vulnerability Description:
The function is not verified or fails to be verified. The user can control the variable to read any file -
Code Analysis
In \upload\application\index\controller\Download.php, at line 10, there is a file manipulation function where the $url is a parameter that the user can control and is not filtered, and $ourput_filename is the filename to be output

From this, we can build parameters:
/index/download/index?name=index.php&url=../../application/database.php -
Prove
Read the web site database configuration file. PS: I used index.php because I didn't configure Apache pseudo-static



