CVE-2021-36426: Arbitrary file upload vulnerability · Issue #312 · slackero/phpwcms

在include/inc_lib/general.inc.php 1709行中，使用getimagesize获取了上传图像文件的大小信息。其后未对后缀名进行单独判断，可以制作图片木马进行上传绕过。
In the line 1709 of include/inc_lib/general.inc.php, use getimagesize to get the size information of the uploaded image file. After that, without a separate judgment on the suffix name, a picture Trojan horse can be made to upload and bypass.

漏洞验证：
Vulnerability recurrence:：
登录访问后台页面http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8
首先点击Create new campaign
Login to visit the background page http://www.pw.com/phpwcms.php?csrftoken=0cc175b9c0f1b6a831c399e269772661&do=files&p=8 First click Create new campaign

创建任意条目，点击create
To create any entry, click create

回到上级，点击编辑
Go back to the upper level, click edit

选中生成好的图片马（在图片文件特殊位置插入php代码，不影响其打开），点击上传，出现报错不用管
poc下载：2.zip

Select the generated picture horse (insert the php code in the special position of the picture file, it will not affect its opening), click upload, and there will be an error and don’t care.
pocdownload：2.zip

上传后的文件目录为\content\marketing+参数adcampaign_id，查看下该目录下生成的新文件，文件命名规则为日期_2
访问url：http://www.pw.com/content/marketing/3/20210701_2.php，成功执行php文件
The uploaded file directory is \content\marketing+parameter adcampaign_id, check the new file generated in this directory, the file naming rule is date_2
Visit url: http://www.pw.com/content/marketing/3/20210701_2.php, successfully execute the php file

修复建议：
1.正确验证文件后缀。
2.限制目录执行权限。

Repair suggestions:

1. Verify the file suffix correctly.
2. Restrict directory execution permissions.