Phpstcms (STCMS music system) exploits and fixes background verification Vulnerabilities

A music system. Official Website: http://www.phpstcms.com/vulnerability exists in the "common. inc. php" file, as shown below.

Phpstcms (STCMS music system) bypass background Verification Method

Common. inc. php:

......

If (! In_array (substr (strrchr ($ _ SERVER [PHP_SELF], "/"), 1), array ("login. php", "login. php? Action = logined ")))
{
CheckLogin ();
}
// The above is the verification of Logon bypass, which is the same as the IIS6.0 Parsing Vulnerability, you know

......

Webmaster comment:

Phpstcms (STCMS music system) bypass background Verification Method
First, let's add a knowledge, for example, the URL address is.

Phpstcms (STCMS music system) bypass background Verification Method
The problem lies in the verification process. This method of Slot verification is used.

Phpstcms (STCMS music system) bypass background Verification Method
First, extract the string starting from the last "/" in "/fuck/bitch. php" and ending with "bitch. php ". Then, set "login. php? Action = logined "and" login. php "are created into an array. Search for "bitch. php" in this array. If yes, log in ......

Phpstcms (STCMS music system) bypass background Verification Method
For example, the background address of the official website demonstration site is "IIS 6.0 resolution Vulnerability.

Phpstcms (STCMS music system) bypass background Verification Method
For example, the official website:

Phpstcms (STCMS music system) bypass background Verification Method
Http://demo.phpstcms.com/admin/member.php/login.php
Http://demo.phpstcms.com/admin/config.php/login.php
Http://demo.phpstcms.com/admin/data.php/login.php
Http://demo.phpstcms.com/admin/server.php/login.php
Http://demo.phpstcms.com/admin/info.php/login.php
......

Phpstcms (STCMS music system) bypass background Verification Method
The above addresses are only used for demonstration. Do not use them for any illegal purposes!

Phpstcms (STCMS music system) bypass background Verification Method
PHP $ _ SERVER [PHP_SELF] Function Vulnerability Generation Principle:

Phpstcms (STCMS music system) bypass background Verification Method
This function also has a Cross-Site vulnerability. For details, Google "cross-site scripting attacks against $ _ SERVER [PHP_SELF ".

Phpstcms (STCMS music system) bypass background Verification Method
Then, let's take a look at how this vulnerability is created: http://www.bkjia.com/test.php /......, This call is allowed by web servers. Many cms and Forum systems use this method, implementing a fixed web site like a http://www.bkjia.com/test.php/archive/999 without rewrite on the server (I previously thought it was a hand under the 404 error page ), therefore, addresses with "/" cannot be banned from the web server.

Phpstcms (STCMS music system) bypass background Verification Method
Then let's take a look at the recognition of $ _ SERVER [PHP_SELF] in php. It is a global variable that contains the current URL value. God knows what kind of website the user will enter, in the above example, It is malicious, but on such a website, it can be used normally. Therefore, the final conclusion falls on the developer, and the data that interacts with the user is not well processed.