| title | tags | grammar_cjkRuby | |
|---|---|---|---|
ppsave.php |
|
true |
/user/ppsave.php
Edition :
zzcms 8.2
Location
/user/ppsave.php
Code:
if ($oldimg<>$img && $oldimg<>"image/nopic.gif") {
//deloldimg
$f=$oldimg;
if (file_exists($f)){
unlink($f);
}
$fs=str_replace(".","_small.",$oldimg);
if (file_exists($fs)){
unlink($fs);
}Rows : 68
Harm
Allows attackers to delete files arbitrarily
Cause the cause
First analyze the code, the first condition is action=modify
There is no other previous condition, just can directly control oldimg
poc
An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.
Solution
Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

