| title | tags | grammar_cjkRuby | |
|---|---|---|---|
manage.php |
|
true |
/user/manage.php
Edition :
zzcms 8.2
Location
/user/manage.php
Code:
if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
$f="../".$oldimg;
if (file_exists($f)){
unlink($f);
}
$fs="../".str_replace(".","_small.",$oldimg);
if (file_exists($fs)){
unlink($fs);
}
}
if ($oldflv<>$flv){
$f="../".$oldflv;
if (file_exists($f)==true){
unlink($f);
}
}Rows : 61
Harm
Allows attackers to delete files arbitrarily
Cause the cause
First analyze the code, the first condition is action=modify
Satisfaction condition, must make the judgment of founderr=1, that is to say, must make content not empty
In this case, direct control of the data in oldimg or oldflv. POST ,then value can be achieved.
poc
An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.
Solution
Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes



