CVE-2020-20588: There is a Arbitrary File Upload vulnerability that can upload a php file and be executed. · Issue #13 · zhimengzhe/iBarn

you can upload any file as avatar at " /index.php?m=user&a=avatar". Althought the server’s response show that you are fail to set avatar, but the file was uploaded,And the file can be easily to locate by uid which shows in your cookies.

/action/Core.class.php

 public function upload() {
        if (!$_REQUEST['uid']) {
            echo Response::json(LACK, array(tip('用户ID不能为空')));
            exit;
        }
        $_REQUEST['name'] = self::filterName(rawurldecode(self::trimSpace($_REQUEST['name'])));
        if (!$_REQUEST['name']) {
            echo Response::json(LACK, array(tip('文件名不能为空')));
            exit;
        }
        if (!$_REQUEST['type']) {
            if (!file_exists(DATA_DIR)) {
                $res = mkdir(DATA_DIR, 0777, true);
                if (!$res) {
                    echo Response::json(FAIL, array(tip('存储目录创建失败')));
                    exit;
                }
            }
        }
        if (!file_exists(UP_DIR)) {
            $res = mkdir(UP_DIR, 0777, true);
            if (!$res) {
                echo Response::json(FAIL, array(tip('存储目录创建失败')));
                exit;
            }
        }
        include LIB_PATH . 'plupload' . DS . 'PluploadHandler.php';
        PluploadHandler::no_cache_headers();
        PluploadHandler::cors_headers();
        if (!PluploadHandler::handle(array(
            'target_dir' => UP_DIR,
            //'allow_extensions' => 'jpg,jpeg,png'
        ))) {
            echo Response::json(FAIL, array(tip('上传失败')));
            exit;
        } else {
            echo Response::json(SUCC, array(tip('上传成功')));
        }
    }

if I logined uid is 185 and my upload filename is backdoor.php. Then http://mywebsite.com/files/18/05/backdoor.php is my really backdoor.

what’s more:
I think the line “//’allow_extensions’ => 'jpg,jpeg,png’” is not good to be commented.