जमा करें #113972: Crmeb Commodity management system file upload vulnerabilityजानकारी

शीर्षकCrmeb Commodity management system file upload vulnerability
विवरणThis is about the file upload vulnerability of Crmeb commodity management system The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . '/' . $data['filename'] . '__ ' . $data['chunkNumber'];, it splices $data['chunkNumber'] at the end, which is a controllable parameter transfer on the client side, so that the value of $data['chunkNumber'] can be modified to The suffix is ​​php, which causes the written malicious code to be parsed and executed. public function videoUpload($data, $file) { $public_dir = app()->getRootPath() . 'public'; $dir = '/uploads/attach/' . date('Y') . DIRECTORY_SEPARATOR . date('m') . DIRECTORY_SEPARATOR . date('d'); $all_dir = $public_dir . $dir; if (!is_dir($all_dir)) mkdir($all_dir, 0777, true); $filename = $all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber']; move_uploaded_file($file['tmp_name'], $filename); $res['code'] = 0; $res['msg'] = 'error'; $res['file_path'] = ''; if ($data['chunkNumber'] == $data['totalChunks']) { $blob = ''; for ($i = 1; $i <= $data['totalChunks']; $i++) { $blob .= file_get_contents($all_dir . '/' . $data['filename'] . '__' . $i); } file_put_contents($all_dir . '/' . $data['filename'], $blob); for ($i = 1; $i <= $data['totalChunks']; $i++) { @unlink($all_dir . '/' . $data['filename'] . '__' . $i); } if (file_exists($all_dir . '/' . $data['filename'])) { $res['code'] = 2; $res['msg'] = 'success'; $res['file_path'] = sys_config('site_url') . $dir . '/' . $data['filename']; } } else { if (file_exists($all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber'])) { $res['code'] = 1; $res['msg'] = 'waiting'; $res['file_path'] = ''; } } return $res; } } I have written a detailed report, please visit this link to check https://github.com/crmeb/CRMEB/issues/77 my mail box:[email protected] Best regards
स्रोत⚠️ https://github.com/crmeb/CRMEB/issues/77
उपयोगकर्ता
 keyman (UID 44935)
सबमिशन14/04/2023 01:30 AM (3 साल पहले)
संयम28/04/2023 06:57 PM (15 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि227716 [Zhong Bang CRMEB 4.6.0 SystemAttachmentServices.php videoUpload filename अधिकार वृद्धि]
अंक20

Might our Artificial Intelligence support you?

Check our Alexa App!