Closed
Description
Hi, this is Tencent Xcheck team. Our code safety check tool Xcheck has found several unserialize vulnerabilities in this project(v4, v5, v6). It leads to remote code execution. Here are the details.
v6
- app/admin/controller/api/Update.php
line: 46$this->rules = unserialize($this->request->post('rules', 'a:0:{}', ''));
line: 47$this->ignore = unserialize($this->request->post('ignore', 'a:0:{}', ''));
v6 v5 v4
2. app/wechat/controller/api/Push.php
line: 102 $this->receive = $this->toLower(unserialize($this->request->post('receive', '', null)));
Prevent from abusing of this vulnerability, we don't provide proof of concept. We hope to repair it as soon as possible.
From Xcheck Team
Metadata
Metadata
Assignees
Labels
No labels