Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
title tags grammar_cjkRuby
manage.php
bug
true

/user/manage.php

Edition :

zzcms 8.2

Location

/user/manage.php

Code:

if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
	$f="../".$oldimg;
	if (file_exists($f)){
	unlink($f);
	}
	$fs="../".str_replace(".","_small.",$oldimg);
	if (file_exists($fs)){
	unlink($fs);		
	}
}
if ($oldflv<>$flv){
	$f="../".$oldflv;
	if (file_exists($f)==true){
	unlink($f);
	}
}

Rows : 61

Harm

Allows attackers to delete files arbitrarily

Cause the cause

First analyze the code, the first condition is action=modify

Satisfaction condition, must make the judgment of founderr=1, that is to say, must make content not empty

In this case, direct control of the data in oldimg or oldflv. POST ,then value can be achieved.

poc

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

Solution

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes