Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

imcat 5.2-Arbitrary file read vulnerability #7

Closed
haungtongfu opened this issue Jun 15, 2021 · 4 comments
Closed

imcat 5.2-Arbitrary file read vulnerability #7

haungtongfu opened this issue Jun 15, 2021 · 4 comments

Comments

@haungtongfu
Copy link

1 ### Overview

Official website: http://txjia.com/imcat/

Version: imcat-5.2

Vulnerability type: arbitrary file reading, causing serious information leakage

Source code:https://github.com/peacexie/imcat/releases/tag/v5.2

  1. Source code ### analysis

In the file root tools adbug search.php, click$_ Request receives parameters from the front end and uses file directly without any filtering_ get_ The contents() function gets the contents of the file and prints them directly on the front page; It can jump to the previous directory by the way of "." / ", as long as the program has permission, it can read any file on the system, causing information leakage; The specific code is shown in the following two figures.

1qa

image

  1. Reappearance

(1) Build the environment through phpstudy, and then log in to the background of the website
image

(2) Visit the following links (you can construct whatever files you want to get, and you can also get system files by ". /" tracing back)
http://127.0.0.1/imcat/root/tools/adbug/search.php?act=View&file= \root\cfgs\boot\cfg_ db.php
image

http://127.0.0.1/imcat/root/tools/adbug/search.php?act=View&file=../../../../../../test.txt
image

@peacexie
Copy link
Owner

  1. As an adminstrator, It(He/She) cant use the File-Search tool;
    The guest are NOT allowed to use this function.

  2. You can use imcat-v5.5, I am fixed it at v5.4,
    It was disabled by default at v5.4.

@peacexie peacexie pinned this issue Jun 15, 2021
@peacexie peacexie unpinned this issue Jun 15, 2021
@haungtongfu
Copy link
Author

This vulnerability is still present in v5.4 and v5.5 versions

@peacexie
Copy link
Owner

@haungtongfu
Sorry!
Fix is as this commit :

  1. File: root/tools/adbug/search.php
  2. Code: b1c90b5

@peacexie
Copy link
Owner

Sorry!
The DIY-mode, It was disabled by default only at master branch.
In v5.4, this feature was not update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants