EasyTalk Weibo system X1.X File Inclusion Vulnerability. The $ _ GET [out] parameter in the PluginsAction. class. php file is not filtered and is directly called to contain files, resulting in a vulnerability.
PluginsAction. class. php:
--------------------------------------------------
Class PluginsAction extends Action {
Public function index (){
$ App =$ _ GET [app];
$ Action = $ _ GET [action];
$ Out = urldecode ($ _ GET [out]); // note
If (@ file_exists (ET_ROOT./Plugin/. $ app./. $ app.. class. php )){
$ Class = $ app. _ action;
If (class_exists ($ class )){
If (! $ Out ){
$ Plugin = new $ class ($ this );
If ($ action ){
Echo $ plugin-> $ action ();
Exit;
} Else {
If (method_exists ($ class, page )){
If (! $ This-> my ){
Echo <script type = "text/javascript"> window. location. href = ". SITE_URL./login" </script>;
Exit;
}
$ Content = $ plugin-> page ();
}
}
} Else {
Include_once (ET_ROOT./Plugin/. $ app./. $ out); // (* ^__ ^ *) is there no suffix?
Exit;
}
}
}
---------------------------------------------------
Method of exploits: directly register a user to upload the Avatar and kill it.
Fix: Filter