Headline
CVE-2018-8965: vulnerability/ppsave.php.md at master · Ni9htMar3/vulnerability
An issue was discovered in zzcms 8.2. user/ppsave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.
title
tags
grammar_cjkRuby
ppsave.php
bug
true
/user/ppsave.php****Edition :
zzcms 8.2
Location
/user/ppsave.php
Code:
if ($oldimg<>$img && $oldimg<>"image/nopic.gif") {
//deloldimg
$f=$oldimg;
if (file_exists($f)){
unlink($f);
}
$fs=str_replace(".","_small.",$oldimg);
if (file_exists($fs)){
unlink($fs);
}
Rows : 68****Harm
Allows attackers to delete files arbitrarily
Cause the cause
First analyze the code, the first condition is action=modify
There is no other previous condition, just can directly control oldimg
poc
An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.
Solution
Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes