Headline
CVE-2018-8968: vulnerability/manage.php.md at master · Ni9htMar3/vulnerability
An issue was discovered in zzcms 8.2. user/manage.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.
title
tags
grammar_cjkRuby
manage.php
bug
true
/user/manage.php****Edition :
zzcms 8.2
Location
/user/manage.php
Code:
if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
$f="…/".$oldimg;
if (file_exists($f)){
unlink($f);
}
$fs="…/".str_replace(".","_small.",$oldimg);
if (file_exists($fs)){
unlink($fs);
}
}
if ($oldflv<>$flv){
$f="…/".$oldflv;
if (file_exists($f)==true){
unlink($f);
}
}
Rows : 61****Harm
Allows attackers to delete files arbitrarily
Cause the cause
First analyze the code, the first condition is action=modify
Satisfaction condition, must make the judgment of founderr=1, that is to say, must make content not empty
In this case, direct control of the data in oldimg or oldflv. POST ,then value can be achieved.
poc
An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.
Solution
Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes