Catalog
1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking
1. Vulnerability description
Unrestricted file upload vulnerability in member/uploads_edit.php under version Dedecms 5.3 allows a remote attacker to execute arbitrary code by uploading a file with two extended filenames and then accessing the file with an unknown vector. This has been confirmed by the filename of the. jpg.php.
Relevant Link:
http://cve.scap.org.cn/cve-2009-2270.htmlhttp://www.cnnvd.org.cn/vulnerability/ show/cv_id/2009070008
2. Vulnerability Trigger Condition
0x1:poc
<form id="Frmupload"Enctype="Multipart/form-data"action="http://127.0.0.1/dedecms5.5/member/uploads_edit.php?dopost=save&title=ss&oldurl=1 '. PHP"Method="Post"><!--Oldurl is injection point--<input type="file"Name="Addonfile"Id="Addonfile"Size=" -"><br> <input name="Mode"Type="Hidden"Value="2"> <input id="Btnupload"Type="Submit"Value="Upload"></form>
Relevant Link:
http://www.wooyun.org/bug.php?action=view&id=48894http:// Www.2cto.com/Article/201012/80026.html
3. Vulnerability Impact Range
4. Vulnerability Code Analysis
/member/uploads_edit.php
Else if($dopost = ='Save') {$title= Htmlreplace ($title,2); if($mediatype = =1) $utype ='Image'; Else if($mediatype = =2) {$utype='Flash'; } Else if($mediatype = =3) {$utype='Media'; } Else{$utype='addon'; } $title= Htmlreplace ($title,2); //get the "." The previous file name$exname = Ereg_replace ("(.*)/","", $oldurl); //get the "." Extensions other than the$exname = Ereg_replace ("\. (.*)$","", $exname); //returns the uploaded file name$filename = Memberuploads ('Addonfile', $oldurl, $cfg _ml->m_id, $utype, $exname,-1,-1,true); //$filename bring into function querySaveuploadinfo ($title, $filename, $mediatype); ShowMsg ("successfully modified the file! ","uploads_edit.php?aid= $aid");}
\member\inc\inc_archives_functions.php
function Saveuploadinfo ($title, $filename, $medaitype =1, $addinfos ="'){ Global$dsql, $cfg _ml, $cfg _basedir; if($filename = ="') { return false; } if(!Is_array ($addinfos)) {$addinfos [0] = $addinfos [1] = $addinfos [2] =0; } if($medaitype = =1) {$info="'; $addinfos=getimagesize ($cfg _basedir $filename, $info); } $addinfos [2] =@filesize ($cfg _basedir. $filename); $row= $dsql->getone ("Select aid,title,url from ' #@__uploads ' where URL like ' $filename ' and mid= '". $cfg _ml->m_id."';"); $uptime=Time (); if(Is_array ($row)) {$query="Update ' #@__uploads ' Set title= ' $title ', mediatype= ' $medaitype ',Width='{$addinfos [0]}', height='{$addinfos [1]}', filesize='{$addinfos [2]}', uptime='$uptime' whereAid='{$row ['Aid']}';";$dsqlexecutenonequery ($query); } Else { //SQL injection is brought into SQL query $filename not filtered$inquery ="INSERT into ' #@__uploads ' (title,url,mediatype,width,height,playtime,filesize,uptime,mid)VALUES ('$title','$filename','$medaitype','". $addinfos [0]."','". $addinfos [1]."','0','". $addinfos [2]."','$uptime','". $cfg _ml->m_id."');";$dsqlexecutenonequery ($inquery); } return true;}
5. Defense Methods
/member/uploads_edit.php
Else if($dopost = ='Save') {$title= Htmlreplace ($title,2); if($mediatype = =1) $utype ='Image'; Else if($mediatype = =2) {$utype='Flash'; } Else if($mediatype = =3) {$utype='Media'; } Else{$utype='addon'; } $title= Htmlreplace ($title,2); /*effective filtering of the $oldurl*/$oldurl=Htmlreplace ($oldurl); /* */$exname= Preg_replace ("#(.*)/#","", $oldurl); $exname= Preg_replace ("#\. (.*)$#","", $exname); $filename= Memberuploads ('Addonfile', $oldurl, $cfg _ml->m_id, $utype, $exname,-1, -1, TRUE); Saveuploadinfo ($title, $filename, $mediatype); ShowMsg ("successfully modified the file! ","uploads_edit.php?aid= $aid");}
6. Defensive Thinking
Copyright (c) Littlehann All rights reserved
dedecms/member/uploads_edit.php SQL Injection Vul