乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-12: 细节已通知厂商并且等待厂商处理中 2014-08-12: 厂商已经确认,细节仅向厂商公开 2014-08-15: 细节向第三方安全合作伙伴开放 2014-10-06: 细节向核心白帽子及相关领域专家公开 2014-10-16: 细节向普通白帽子公开 2014-10-26: 细节向实习白帽子公开 2014-11-10: 细节向公众公开
rt。
看到 module/file/control.php
public function ajaxUpload($uid) { $file = $this->file->getUpload('imgFile'); $file = $file[0]; if($file) { if(!$this->file->checkSavePath()) $this->send(array('error' => 1, 'message' => $this->lang->file->errorUnwritable)); move_uploaded_file($file['tmpname'], $this->file->savePath . $file['pathname']); if(in_array(strtolower($file['extension']), $this->config->file->imageExtensions) !== false) { $this->file->compressImage($this->file->savePath . $file['pathname']); $imageSize = $this->file->getImageSize($this->file->savePath . $file['pathname']); $file['width'] = $imageSize['width']; $file['height'] = $imageSize['height']; } $url = $this->file->webPath . $file['pathname']; $file['addedBy'] = $this->app->user->account; $file['addedDate'] = helper::now(); $file['editor'] = 1; unset($file['tmpname']); $this->dao->insert(TABLE_FILE)->data($file)->exec(); $_SESSION['album'][$uid][] = $this->dao->lastInsertID(); die(json_encode(array('error' => 0, 'url' => $url))); } }
这个上传文件的跟到
public function getUpload($htmlTagName = 'files') { $files = array(); if(!isset($_FILES[$htmlTagName])) return $files; /* The tag if an array. */ if(is_array($_FILES[$htmlTagName]['name'])) { extract($_FILES[$htmlTagName]); foreach($name as $id => $filename) { if(empty($filename)) continue; $file['extension'] = $this->getExtension($filename);
继续跟进 getExtension函数
public function getExtension($filename) { $extension = pathinfo($filename, PATHINFO_EXTENSION); if(empty($extension)) return 'txt'; if(strpos($this->config->file->dangers, strtolower($extension)) !== false) return 'txt'; return $extension; }
dangers 的值是
$config->file->dangers = 'php,jsp,py,rb,asp,'; // Dangerous file types.
if(strpos($this->config->file->dangers, strtolower($extension)) !== false) return 'txt'这句话逻辑有点问题,应该把strpos的两个参数位置替换下,例如 我提交 a.php+空格的话 就能 绕过了
上面写了
危害等级:高
漏洞Rank:15
确认时间:2014-08-12 16:58
已经确认,会影响windows服务器的用户。近期会发布新版本解决这个问题。
暂无