在include/inc_act/act_ftptakeover.php 334行中,传入unlink方法的变量$file并未做过滤,导致可以使用../这种形式进行目录穿越删除任意文件。
In the 334 line of include/inc_act/act_ftptakeover.php, the variable file passed in the unlink method is not filtered, so that the form of ../ can be used for directory traversal to delete any $file.
使用burpsuite抓包,修改第一个文件的字段段属性,对内容进行base64解码修改为../_.htaccess并再次编码,尝试删除根目录下_.htaccess文件
Use burpsuite to capture packets, modify the field attributes of the first file, base64 decode the content, modify it to ../_.htaccess and encode it again, try to delete the _.htaccess file in the root directory
调试查看变量值
Debug to view variable values
文件被成功删除
The file was successfully deleted
修复建议:
1.过滤../等特殊字符。
2.限制目录访问权限。
Repair suggestions:
Filter ../ and other special characters.
Restrict directory access permissions.
The text was updated successfully, but these errors were encountered:
So old problems at all, thanks for finding and reporting this. It's rarely a real problem because only editors have access but anyway it shouldn't be possible in any case.
在
include/inc_act/act_ftptakeover.php334行中,传入unlink方法的变量$file并未做过滤,导致可以使用../这种形式进行目录穿越删除任意文件。In the 334 line of
include/inc_act/act_ftptakeover.php, the variable file passed in theunlinkmethod is not filtered, so that the form of ../ can be used for directory traversal to delete any$file.漏洞复现:
Vulnerability recurrence:
登录访问后台页面http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8
首先上传文件后,选中第一个文件,点击take over selected files
Login to visit the background page http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8
After uploading files first, select the first file and click take over selected files
使用burpsuite抓包,修改第一个文件的字段段属性,对内容进行base64解码修改为
../_.htaccess并再次编码,尝试删除根目录下_.htaccess文件Use burpsuite to capture packets, modify the field attributes of the first file, base64 decode the content, modify it to
../_.htaccessand encode it again, try to delete the _.htaccess file in the root directory调试查看变量值
Debug to view variable values
文件被成功删除
The file was successfully deleted
修复建议:
1.过滤../等特殊字符。
2.限制目录访问权限。
Repair suggestions:
The text was updated successfully, but these errors were encountered: