Invia #113972: Crmeb Commodity management system file upload vulnerabilityinformazioni

TitoloCrmeb Commodity management system file upload vulnerability
DescrizioneThis is about the file upload vulnerability of Crmeb commodity management system The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . '/' . $data['filename'] . '__ ' . $data['chunkNumber'];, it splices $data['chunkNumber'] at the end, which is a controllable parameter transfer on the client side, so that the value of $data['chunkNumber'] can be modified to The suffix is ​​php, which causes the written malicious code to be parsed and executed. public function videoUpload($data, $file) { $public_dir = app()->getRootPath() . 'public'; $dir = '/uploads/attach/' . date('Y') . DIRECTORY_SEPARATOR . date('m') . DIRECTORY_SEPARATOR . date('d'); $all_dir = $public_dir . $dir; if (!is_dir($all_dir)) mkdir($all_dir, 0777, true); $filename = $all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber']; move_uploaded_file($file['tmp_name'], $filename); $res['code'] = 0; $res['msg'] = 'error'; $res['file_path'] = ''; if ($data['chunkNumber'] == $data['totalChunks']) { $blob = ''; for ($i = 1; $i <= $data['totalChunks']; $i++) { $blob .= file_get_contents($all_dir . '/' . $data['filename'] . '__' . $i); } file_put_contents($all_dir . '/' . $data['filename'], $blob); for ($i = 1; $i <= $data['totalChunks']; $i++) { @unlink($all_dir . '/' . $data['filename'] . '__' . $i); } if (file_exists($all_dir . '/' . $data['filename'])) { $res['code'] = 2; $res['msg'] = 'success'; $res['file_path'] = sys_config('site_url') . $dir . '/' . $data['filename']; } } else { if (file_exists($all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber'])) { $res['code'] = 1; $res['msg'] = 'waiting'; $res['file_path'] = ''; } } return $res; } } I have written a detailed report, please visit this link to check https://github.com/crmeb/CRMEB/issues/77 my mail box:[email protected] Best regards
Fonte⚠️ https://github.com/crmeb/CRMEB/issues/77
Utente
 keyman (UID 44935)
Sottomissione14/04/2023 01:30 (3 anni fa)
Moderazione28/04/2023 18:57 (15 days later)
StatoAccettato
Voce VulDB227716 [Zhong Bang CRMEB 4.6.0 SystemAttachmentServices.php videoUpload filename escalationi di privilegi]
Punti20

Do you need the next level of professionalism?

Upgrade your account now!