Skip to content

Latest commit

 

History

History
75 lines (49 loc) · 1.21 KB

manage.php.md

File metadata and controls

75 lines (49 loc) · 1.21 KB
title tags grammar_cjkRuby
manage.php
bug
true

/user/manage.php

Edition :

zzcms 8.2

Location

/user/manage.php

Code:

if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
	$f="../".$oldimg;
	if (file_exists($f)){
	unlink($f);
	}
	$fs="../".str_replace(".","_small.",$oldimg);
	if (file_exists($fs)){
	unlink($fs);		
	}
}
if ($oldflv<>$flv){
	$f="../".$oldflv;
	if (file_exists($f)==true){
	unlink($f);
	}
}

Rows : 61

Harm

Allows attackers to delete files arbitrarily

Cause the cause

First analyze the code, the first condition is action=modify

Satisfaction condition, must make the judgment of founderr=1, that is to say, must make content not empty

In this case, direct control of the data in oldimg or oldflv. POST ,then value can be achieved.

poc

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

Solution

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes