Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Found unrestricted file upload vulnerability #77

Closed
gsfish opened this issue Aug 28, 2019 · 2 comments
Closed

Found unrestricted file upload vulnerability #77

gsfish opened this issue Aug 28, 2019 · 2 comments

Comments

@gsfish
Copy link

gsfish commented Aug 28, 2019

What steps will reproduce the problem?

Login the admin page and find a place to upload .jpg image. Intercept the request, change the file extension to .php and insert the content of webshell:

What is the expected result?

The backend should deny for uploading unexpected file type (with .php extension) in services/Image.php, function getUniqueImgNameInPath()

$imagePath = $imgSaveFloder.'/'.$name.$randStr.'.'.$imageType;

What do you get instead?

The php webshell was successfully uploaded to the website:

Additional info

Q A
Fecshop version 2.1.6
PHP version 7.1.13
Operating system Debian 8
@fancyecommerce
Copy link
Member

fancyecommerce commented Oct 1, 2019

1.有问题,请去论坛发帖:http://www.fecmall.com/topic

2.fecmall,对图片文件的检查,是通过php函数getimagesize对图片文件进行的检查,并不是通过文件后缀

3.搜索了一下资料,这个函数并不可靠:https://segmentfault.com/a/1190000003911296

4.详细参看fecmall论坛帖子:http://www.fecmall.com/topic/2169 , 在这里讨论把

@fancyecommerce
Copy link
Member

您好,这个bug已经修复,请问怎么更新cnnvd:http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201910-197

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants