Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
title tags grammar_cjkRuby
ppsave.php
bug
true

/user/ppsave.php

Edition :

zzcms 8.2

Location

/user/ppsave.php

Code:

if ($oldimg<>$img && $oldimg<>"image/nopic.gif") {
	//deloldimg
		$f=$oldimg;
		if (file_exists($f)){
		unlink($f);		
		}
		$fs=str_replace(".","_small.",$oldimg);
		if (file_exists($fs)){
		unlink($fs);		
		}

Rows : 68

Harm

Allows attackers to delete files arbitrarily

Cause the cause

First analyze the code, the first condition is action=modify

There is no other previous condition, just can directly control oldimg

poc

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

Solution

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes