Headline
CVE-2021-35369: imcat 5.2-Arbitrary file read vulnerability · Issue #7 · peacexie/imcat
Arbitrary File Read vulnerability found in Peacexie ImCat v.5.2 fixed in v.5.4 allows attackers to obtain sensitive information via the filtering_get_contents function.
1 ### Overview
Official website: http://txjia.com/imcat/
Version: imcat-5.2
Vulnerability type: arbitrary file reading, causing serious information leakage
Source code:https://github.com/peacexie/imcat/releases/tag/v5.2
- Source code ### analysis
In the file root tools adbug search.php, click$_ Request receives parameters from the front end and uses file directly without any filtering_ get_ The contents() function gets the contents of the file and prints them directly on the front page; It can jump to the previous directory by the way of “.” / ", as long as the program has permission, it can read any file on the system, causing information leakage; The specific code is shown in the following two figures.
- Reappearance
(1) Build the environment through phpstudy, and then log in to the background of the website
(2) Visit the following links (you can construct whatever files you want to get, and you can also get system files by “. /” tracing back)
http://127.0.0.1/imcat/root/tools/adbug/search.php?act=View&file= \root\cfgs\boot\cfg_ db.php
http://127.0.0.1/imcat/root/tools/adbug/search.php?act=View&file=…/…/…/…/…/…/test.txt