BUG Analysis Report on PHPCMS egg pain

PHPCMS V9 Installation File debug
◆. [0x001] causes of audit (a bunch of nonsense)
◆. [0x002] Code Art (Review core)
◆. [0x003] PHPCMS accidental detection (....)
◆. [0x004] Security suggestions
 
The cause of the audit today I met XX Yao's sister paper and chatted with her very well (this gave me the patience to read the code). Then I said that sister paper is the motivation !!

On the evening of July 15, September, I suddenly told me that PHPCMS had a parameter that was not filtered. At first, I did not pay attention to it. In the end, I sent a picture to me on July 15, September, which gave me an interest in PHPCMS auditing.
 
Hd captcha-free image:
 

Because of the figure above, I downloaded a PHPCMS V9 program on the Internet and put it in the root directory of my website ..
Then, according to the path phpcms/install/cloud. php described in September, the latest version of PHPCMS has no such file, and then the patience is greatly reduced ..

Then I found out that the cloud. php file is already compatible with/install. php .. That's why we have a lot of nonsense articles today ..
 

$ Steps = include PHPCMS_PATH. 'Install/step. inc. php ';
$ Step = trim ($ _ REQUEST ['step'])? Trim ($ _ REQUEST ['step']): 1;
$ Pos = strpos (get_url (), 'Install/install. php ');
$ Siteurl = substr (get_url (), 0, $ pos );
If (strrpos (strtolower (PHP_ OS), "win") === FALSE ){
Define ('isunix ', TRUE );
} Else {
Define ('isunix ', FALSE );

The step parameter is indeed not filtered, and I am just wondering what to do with an installation step ??
Go down .. Www.2cto.com
 
 

 
 
Seeing that the program made a swicth loop for the parameter, so .... I will continue to flip down ..
Now, you can be excited ..
Finally, I saw hope in line 1 ..
 

Case 'cache _ all ':
$ Cache = pc_base: load_app_class ('cache _ api', 'admin ');
$ Cache-> cache ('category ');
$ Cache-> cache ('cache _ site ');
$ Cache-> cache ('downservers ');
$ Cache-> cache ('badword ');
$ Cache-> cache ('ipbanned ');
$ Cache-> cache ('keylink ');
$ Cache-> cache ('linkage ');
$ Cache-> cache ('position ');
$ Cache-> cache ('admin _ role ');
$ Cache-> cache ('urlrule ');
$ Cache-> cache ('module ');
$ Cache-> cache ('sitemodel ');
$ Cache-> cache ('workflow ');
$ Cache-> cache ('dbsource ');
$ Cache-> cache ('Member _ group ');
$ Cache-> cache ('membermodel ');
$ Cache-> cache ('type', 'search ');
$ Cache-> cache ('special ');
$ Cache-> cache ('setting ');
$ Cache-> cache ('database ');
$ Cache-> cache ('Member _ setting ');
$ Cache-> cache ('Member _ model_field ');
$ Cache-> cache ('search _ setting ');

Copy (PHPCMS_PATH. "install/cms_index.html", PHPCMS_PATH. "index.html ");
Break;
 
PHPCMS programmers are strongly criticized here. Please try to save the trouble of future maintenance using the AOP design mode.
Here is the bug code install. php? Setp = cache_all
A picture has a truth...
 
 

Explosive Path Vulnerability path: http://www.8090sec.com/phpcms/modules/attachment/templates/album_dir.tpl.php
 

Proof of vulnerability:
 
Www.2cto.com: it has been transferred to the official website. Please wait for the patch to be upgraded.