YXCMS1.2.6 version 1 Arbitrary File Deletion + 6 unauthorized operations
After a simple audit, we found that YXcms has an Arbitrary File Deletion vulnerability and multiple unauthorized operations (only one example is provided as proof)
1. Arbitrary File Deletion Vulnerability
The vulnerability code is located in/protected/apps/member/controller/newsController. php.
Delcover function:
Public function delcover () {// file storage directory $ id = in ($ _ POST ['id']); $ pic = in ($ _ POST ['pic ']); $ data ['picture'] = $ this-> nopic; if (model ('new ') -> update ("id = '$ id'", $ data) {$ picpath = $ this-> uploadpath. $ pic; if (file_exists ($ picpath) @ unlink ($ picpath); echo 1;} else echo 'An error occurred while deleting the cover ~ ';}
This function can be called through control parameters.
Http: // localhost/yxcms/index. php? R = member/news/delcover
$ Pic is introduced in the unlink function parameter $ picpath.
$ Pic parameter comes from $ _ POST ['pic ']
Because the filter function in does not strictly control the filtering, you can enter strings such as ".../" to switch directories.
The next step is to find a way to meet the conditions to execute the unlink function.
(Because this module requires logon, first register a user to log on)
The Unlink function has two conditions for execution.
1. if (model ('new')-> update ("id = '$ id'", $ data ))
2. file_exists ($ picpath)
The second condition won't be mentioned...
The first condition requires that data is affected when database operations are performed during update.
Here I will print $ this-> nopic to see what it is.
Is nopic.gif. Next, let's take a look at the picture field (the data installed by default) in the database news table, which means there is no picture cover in the news, which is definitely in use, in actual use, I can even use the brute-force method ~~ Take test data as an example:
We can see that many picturefields are not nopifc.gif. The IDS corresponding to these picture are the parameters that can be triggered by this vulnerability. You only need to assign the id parameter in the url post variable to these IDs to trigger the vulnerability. First, I put a 123.txt file in the root directory of the website.
Then click execute:
The visible file has been deleted. You can test it by yourself.
As for the dangers of this vulnerability, I will not talk about it. Deleting the lock file, reinstalling the website is not necessary, and deleting important data or files will be troublesome, you know.
2. Multiple unauthorized operations
When I checked multiple YXcms files, I found multiple unauthorized operations, as shown below:
1. index function of Protected/apps/member/controller/inforController. php
If (! $ This-> isPost () {$ auth = $ this-> auth; $ id = $ auth ['id']; $ info = model ('members ') -> find ("id = '{$ id}'"); $ this-> info = $ info; $ this-> path =__ ROOT __. '/upload/member/image/'; $ this-> twidth = config ('head _ W'); $ this-> theight = config ('head _ H '); $ this-> display ();} else {$ id = intval ($ _ POST ['id']); if (! Empty ($ _ POST ['email ']) &! Check: email (trim ($ _ POST ['email ']) $ this-> error ('email format error ~ '); $ Data ['nickname'] = in (trim ($ _ POST ['nickname']); $ acc = model ('members ') -> find ("id! = '{$ Id}' AND nickname = '". $ data ['nickname']."' "); if (! Empty ($ acc ['nickname']) $ this-> error ('this nickname has been used by someone ~ '); If (empty ($ _ FILES ['headpic'] ['name']) ===false) {$ tfile = date ("Ymd "); $ imgupload = $ this-> upload ($ this-> uploadpath. $ tfile. '/', config ('imgupsize'), 'jpg, bmp, gif, png '); $ imgupload-> saveRule = 'thumb _'. time (); $ imgupload-> upload (); $ fileinfo = $ imgupload-> getUploadFileInfo (); $ errorinfo = $ imgupload-> getErrorMsg (); if (! Empty ($ errorinfo) $ this-> alert ($ errorinfo); else {if (! Empty ($ _ POST ['oldheadpic ']) {$ picpath = $ this-> uploadpath. $ _ POST ['oldheadpic ']; if (file_exists ($ picpath) @ unlink ($ picpath);} $ data ['headpic'] = $ tfile. '/'. $ fileinfo [0] ['savename'] ;}$ data ['email '] = in ($ _ POST ['email']); $ data ['tel'] = in ($ _ POST ['tel']); $ data ['qq'] = in ($ _ POST ['qq']); model ('members ')-> update ("id =' {$ id} '", $ data); $ info = model ('members ') -> find ("id = '{$ id}'"); if ($ info ['headpic '] &! Check: url ($ info ['headpic ']) $ info ['headpic'] =__ UPLOAD __. '/member/image /'. $ info ['headpic ']; $ cookie_auth = $ info ['id']. '\ t '. $ info ['groupid']. '\ t '. $ info ['account']. '\ t '. $ info ['nickname']. '\ t '. $ info ['lastip']. '\ t '. $ info ['headpic ']; set_cookie ('auth', $ cookie_auth, 0); $ this-> success ('information edited successfully ~ ');}
The POST method can be used to transmit data, because the POST id is used as the update condition.
URL: http: // localhost/yxcms/index. php? R = member/infor/index
POST Data:
Id = 2 & email = google@google.com & nickname = google & tel = 1234567890 & qq = 0987654321
You can modify the user information of id = 2.
Create listen2
Log on to the listen user and modify the package sending for the listen2 user.
Log on to listen2 and check it out.
Modified successfully.
2. cutcover function of Protected/apps/member/controller/inforController. php
$ Picname = in ($ _ POST ['name']); $ thumb_image_location = $ large_image_location = ROOT_PATH. 'upload/member/image /'. $ picname; $ thumb_width = intval ($ _ POST ["thumb_w"]); // The width of the cropped image $ x1 = intval ($ _ POST ["x1"]); $ y1 = intval ($ _ POST ["y1"]); $ w = intval ($ _ POST ["w"]); $ h = intval ($ _ POST ["h"]); if (empty ($ thumb_width) | empty ($ w) | empty ($ h )) exit (0); $ scale = $ thumb_width/$ w; $ cropped = resizeThumbnailImage ($ thumb_image_location, $ large_image_location, $ w, $ h, $ x1, $ y1, $ scale); if (empty ($ cropped) echo 0; else echo $ picname;
No permission verification is performed, which allows you to modify the Avatar size (the Avatar address can be viewed on the profile)
3. The colchange function of Protected/apps/member/controller/newsController. php
Public function colchange () {if ('change '! = $ _ POST ['dotype']) $ this-> error ('Operation type error ~ ', Url ('news/Index'); if (empty ($ _ POST ['delid']) | empty ($ _ POST ['col']) $ this-> error ('You have not selected ~ ', Url ('news/Index'); foreach ($ _ POST ['delid'] as $ value) {$ changeid. = intval ($ value ). ',';} $ changeid = substr ($ changeid, 0,-1); $ data ['sort '] = $ _ POST ['col']; model ('News')-> update ('Id in ('. $ changeid. ')', $ data); $ this-> success ('column moved successfully ~ ', Url ('news/Index '));}
Because the account field of the news table is not verified, other people's news can be moved to different categories.
4. The orderchange function of Protected/apps/member/controller/photoController. php
public function orderchange(){$id=intval($_POST['id']);$data['norder']=intval($_POST['order']);model('photo')->update("id='{$id}'",$data);echo 1;}
Set the order of others' atlas.
5. delpic function of Protected/apps/member/controller/photoController. php
If (empty ($ _ POST ['picname']) $ this-> error ('parameter error ~ '); $ Picname = trim ($ _ POST ['picname']); $ path = $ this-> uploadpath; $ lasts = strtolower (substr ($ picname, -3); if (in_array ($ lasts, array ('gif', 'jpg ', 'png', 'bmp ') {if (file_exists ($ path. $ picname) @ unlink ($ path. $ picname); else exit ('image does not exist ~ '); If (file_exists ($ path. 'thumb _'. $ picname) @ unlink ($ path. 'thumb _'. $ picname); else exit ('thumbnail does not exist ~ '); Echo' the source image and thumbnail are deleted successfully ~ ';} Else echo $ lasts;
If you do not have any authentication when deleting an object, you can delete any image in the Gallery (the image address can be viewed on the image attribute ).
6. The colchange function of Protected/apps/member/controller/photoController. php
If ('change '! = $ _ POST ['dotype']) $ this-> error ('Operation type error ~ ', Url ('photo/Index'); if (empty ($ _ POST ['delid']) | empty ($ _ POST ['col']) $ this-> error ('You have not selected ~ ', Url ('photo/Index'); foreach ($ _ POST ['delid'] as $ value) {$ changeid. = intval ($ value ). ',';} $ changeid = substr ($ changeid, 0,-1); $ data ['sort '] = $ _ POST ['col']; model ('photo')-> update ('Id in ('. $ changeid. ')', $ data); $ this-> success ('column moved successfully ~ ', Url ('photo/Index '));
You can move anyone's gallery columns.
Solution:
Add verification for modifying Logic