Soumettre #113972: Crmeb Commodity management system file upload vulnerabilityinformation

TitreCrmeb Commodity management system file upload vulnerability
DescriptionThis is about the file upload vulnerability of Crmeb commodity management system The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . '/' . $data['filename'] . '__ ' . $data['chunkNumber'];, it splices $data['chunkNumber'] at the end, which is a controllable parameter transfer on the client side, so that the value of $data['chunkNumber'] can be modified to The suffix is ​​php, which causes the written malicious code to be parsed and executed. public function videoUpload($data, $file) { $public_dir = app()->getRootPath() . 'public'; $dir = '/uploads/attach/' . date('Y') . DIRECTORY_SEPARATOR . date('m') . DIRECTORY_SEPARATOR . date('d'); $all_dir = $public_dir . $dir; if (!is_dir($all_dir)) mkdir($all_dir, 0777, true); $filename = $all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber']; move_uploaded_file($file['tmp_name'], $filename); $res['code'] = 0; $res['msg'] = 'error'; $res['file_path'] = ''; if ($data['chunkNumber'] == $data['totalChunks']) { $blob = ''; for ($i = 1; $i <= $data['totalChunks']; $i++) { $blob .= file_get_contents($all_dir . '/' . $data['filename'] . '__' . $i); } file_put_contents($all_dir . '/' . $data['filename'], $blob); for ($i = 1; $i <= $data['totalChunks']; $i++) { @unlink($all_dir . '/' . $data['filename'] . '__' . $i); } if (file_exists($all_dir . '/' . $data['filename'])) { $res['code'] = 2; $res['msg'] = 'success'; $res['file_path'] = sys_config('site_url') . $dir . '/' . $data['filename']; } } else { if (file_exists($all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber'])) { $res['code'] = 1; $res['msg'] = 'waiting'; $res['file_path'] = ''; } } return $res; } } I have written a detailed report, please visit this link to check https://github.com/crmeb/CRMEB/issues/77 my mail box:[email protected] Best regards
La source⚠️ https://github.com/crmeb/CRMEB/issues/77
Utilisateur
 keyman (UID 44935)
Soumission14/04/2023 01:30 (il y a 3 ans)
Modérer28/04/2023 18:57 (15 days later)
StatutAccepté
Entrée VulDB227716 [Zhong Bang CRMEB 4.6.0 SystemAttachmentServices.php videoUpload filename élévation de privilèges]
Points20

Do you know our Splunk app?

Download it now for free!