* Tipask can adjust the Avatar to save and delete the original Avatar * When deleting the original avatar, the parameter submitted by post * is used to cause the Arbitrary File Deletion vulnerability.
Function onsaveimg () {$ x1 = $ this-> post ['x1 ']; $ y1 = $ this-> post ['y1']; $ x2 = $ this-> post ['x2 ']; $ y2 = $ this-> post ['2']; $ w = $ this-> post ['W']; $ h = $ this-> post ['H']; $ ext = $ this-> post ['text']; $ upload_tmp_file = TIPASK_ROOT. "/data/tmp /". 'biginatar '. $ this-> user ['uid']. $ ext; $ avatardir = "/data/avatar/"; // image storage directory $ scale = 100/$ w; resizeThumbnailImage ($ smallimg, $ upload_tm P_file, $ w, $ h, $ x1, $ y1, $ scale); copy ($ upload_tmp_file, TIPASK_ROOT. $ dir3. '/big _'. $ uid. $ ext); is_file ($ upload_tmp_file) & unlink ($ upload_tmp_file); $ _ ENV ['user']-> update_avatar ($ smallimg ); $ this-> message ('Avatar set successfully! ', 'User/editimg ');}
You can see that the onsaveimg function directly calls the ext parameter of post and passes it into $ upload_tmp_file, and finally enters unlink. Arbitrary File Deletion vulnerability. Vulnerability proof: delete test. php post ext =/.../../test. php under the root directory? User/saveimg.html can actually Delete install. lock, which you know.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
