New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Typecho install.php 存在命令执行漏洞 #619

Closed
1c3z opened this Issue Oct 24, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@1c3z

1c3z commented Oct 24, 2017

https://github.com/typecho/typecho/blob/master/install.php#L232
$config = unserialize(base64_decode(Typecho_Cookie::get('__typecho_config')));
这里使用了不安全的unserialize函数。。

进入这段代码的条件:

 设置了正确的referer(网站url即可)
   加上一个任意的finish参数
设置cookie中__typecho_config字段的值  

在_typecho_config下构造特定的数据可以执行任意PHP代码。

具体分析如下:
https://paper.tuisec.win/detail/c1ecf917be22318.jsp

修复方式
安装完后请删除 install.php

@joyqi joyqi closed this in e277141 Oct 24, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment