Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Z-BlogPHP CSRF 删除users目录及文件造成网站缺少文件无法正常访问 #175

Closed
SameleTom opened this issue Feb 6, 2018 · 3 comments
Assignees
Labels

Comments

@SameleTom
Copy link

SameleTom commented Feb 6, 2018

公司:上海匡创信息技术有限公司

发现者:Tom

漏洞代码路径:zb_users/plugin/AppCentre/app_del.php

代码处:

if($blogversion>=151525){

	$app=$zbp->LoadApp($_GET['type'], $_GET['id']);
	if($app->type == $_GET['type']){
		if($app->CanDel()){
			$app->Del();
		}
	}

   }else{

	function rrmdir($dir) {
		if (is_dir($dir)) {
			$objects = scandir($dir);
			foreach ($objects as $object) {
				if ($object != '.' && $object != '..') {
					if (filetype($dir . '/' . $object) == 'dir') {
						rrmdir($dir . '/' . $object);
					} else {
						unlink($dir . '/' . $object);
					}

				}
			}
			reset($objects);
			rmdir($dir);
		}
	}


如果满足判断条件 之下CanDel() 删除方法

如果不满足执行else下面删除方法

Del()方法在app.php里调用

zb_system\function\lib\app.php

行数618-622

    public function Del() {
        global $zbp;
        rrmdir($zbp->usersdir . $this->type . '/' . $this->id);
        $this->DelCompiled();
    }

Poc漏洞实现地址:127.0.0.1/zb_users/plugin/AppCentre/app_del.php

测试过程:

管理后台登录后复制Poc连接,打开链接后会删除zb_users目录造成网站缺少文件崩溃

条件:

需要管理员登录

@zsxsoft zsxsoft self-assigned this Feb 6, 2018
@zsxsoft zsxsoft added the BUG label Feb 6, 2018
@zsxsoft
Copy link
Contributor

zsxsoft commented Feb 6, 2018

漏洞已确认,应用中心存在的CSRF漏洞也将一并被修复

@zsxsoft
Copy link
Contributor

zsxsoft commented Feb 6, 2018

该漏洞临时修补方案已发布,后台更新应用中心插件即可解决。我们将继续调整并排查系统内相关问题,之后将发布安全公告。

另:安全漏洞,希望今后向我们的邮箱发布,避免公开发布导致漏洞利用方式被泄露,谢谢。

@zsxsoft
Copy link
Contributor

zsxsoft commented Feb 8, 2018

@zsxsoft zsxsoft closed this as completed Feb 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants