-
-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2018-7172 Patch bypass #124
Comments
This was already fixed some time ago with: (realpath). Can you please provide bit of explanation on why you think this fix is necessary or still think bypassing is possible? |
Well! Maybe I said is not very detailed.Updated patch can still be bypassed. list($folder, $request) = $entry;
$filename = isset($_REQUEST[$request]) ? str_ireplace(['./', '../', '..', '~', '~/'], null, trim($_REQUEST[$request])) : false;
if (!$filename || empty($filename)) {
continue;
}
if ($filename == wCMS::get('config', 'theme')) {
wCMS::alert('danger', 'Cannot delete currently active theme.');
wCMS::redirect();
continue;
}
var_dump("{$folder}/{$filename}");die; Poc: /?deleteFile=/. var_dump function info: string 'D:\xampp\htdocs\wondercms/files//../index.php' (length=45) |
Well! Maybe I said is not very detailed.Updated patch can still be bypassed. Poc: /?deleteFile=/. var_dump function info: string 'D:\xampp\htdocs\wondercms/files//../index.php' (length=45) |
1 similar comment
Well! Maybe I said is not very detailed.Updated patch can still be bypassed. Poc: /?deleteFile=/. var_dump function info: string 'D:\xampp\htdocs\wondercms/files//../index.php' (length=45) |
There are two characters that can't be written. The one above the Tab key. |
Hello, I cannot reproduce the issue on the master branch. Trying this request: /?deleteFile=/../index.php&token=343e9fd453a9d9895a2c9f616426fb190233ed164ba99d2a1d3bac5a434f165f (with my token of course), doesn't lead to the index.php file being deleted.
We all have different keyboards, use correct code escaping syntax or give us the ASCII number of this character. For me, above the Tab key I have "$". |
@ashesafe, since this can't be reproduced with the given data, can you please provide the ASCII number of the character you've used? You can use a simple online service such as https://www.browserling.com/tools/text-to-ascii to get the correct ASCII character so we can try to reproduce this again. |
ascill 126 |
@ashesafe, thank you. I could now successfully reproduce this with the "tilde" character: |
@ashesafe, mind sharing your first/last name and Twitter link? |
Very thankful.But my English is not good.My name is Ashe and No twitter account. |
@ashesafe, do you possibly have a website link? Don't worry about it! Was the Additionally, can I ask you put the patch you posted as the first comment #124 (comment) in code blocks, so it will display correctly? |
Can't reproduce it with nginx, maybe it's an Apache related issue? |
My english is not good.But I can understand the general meaning, and I am happy to help maintain the system and follow the author's advice. |
The problem is that the code layer has nothing to do with the environment |
I agree that the code must be improved, but it seems this exploit is only valid for Apache webserver. |
@NicolasCARPi, did you copy/paste my reproduction line above? This was indeed on Apache. |
@robiso yep, did that, with my token. |
@NicolasCARPi, I'm surprised the following line doesn't fix this already (as far I understand this character should already be "nulled"?) |
Anyway, the logic is flawed. It's never a good idea to blacklist things, it's better to whitelist things. I would use |
@NicolasCARPi, understood. Can we consider this temporarily patched with: |
Do what works for a patch on the master branch, and we'll see about improving the whole process in the dev branch ;) |
@NicolasCARPi, sounds like a plan. 🍺 @ashesafe, if you change the following line in your WonderCMS installation: If not, I'll push a patch out tomorrow versioned 2.7.0 and a thank you note. I would also like to add you to the special-contributors page. @ashesafe, do you possibly have a website link? |
Although this is a good idea,But under Window \ can still cross the directory.You can be considered in filtering \ characters
|
Web link:https://www.cnblogs.com/ashe666 |
deleteFileThemePluginAction()
$filename = isset($_REQUEST[$request]) ? str_ireplace(['./', '../', '..', '
', '/'], null, trim($_REQUEST[$request])) : false;$file="as/.
./as.php";$a=str_ireplace(['./', '../', '..', '
', '/'], null, trim($file));var_dump($a); //string(8) "as/../as.php"
The text was updated successfully, but these errors were encountered: