| タイトル | Crmeb Commodity management system file upload vulnerability |
|---|
| 説明 | This is about the file upload vulnerability of Crmeb commodity management system
The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . '/' . $data['filename'] . '__ ' . $data['chunkNumber'];, it splices $data['chunkNumber'] at the end, which is a controllable parameter transfer on the client side, so that the value of $data['chunkNumber'] can be modified to The suffix is php, which causes the written malicious code to be parsed and executed.
public function videoUpload($data, $file)
{
$public_dir = app()->getRootPath() . 'public';
$dir = '/uploads/attach/' . date('Y') . DIRECTORY_SEPARATOR . date('m') . DIRECTORY_SEPARATOR . date('d');
$all_dir = $public_dir . $dir;
if (!is_dir($all_dir)) mkdir($all_dir, 0777, true);
$filename = $all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber'];
move_uploaded_file($file['tmp_name'], $filename);
$res['code'] = 0;
$res['msg'] = 'error';
$res['file_path'] = '';
if ($data['chunkNumber'] == $data['totalChunks']) {
$blob = '';
for ($i = 1; $i <= $data['totalChunks']; $i++) {
$blob .= file_get_contents($all_dir . '/' . $data['filename'] . '__' . $i);
}
file_put_contents($all_dir . '/' . $data['filename'], $blob);
for ($i = 1; $i <= $data['totalChunks']; $i++) {
@unlink($all_dir . '/' . $data['filename'] . '__' . $i);
}
if (file_exists($all_dir . '/' . $data['filename'])) {
$res['code'] = 2;
$res['msg'] = 'success';
$res['file_path'] = sys_config('site_url') . $dir . '/' . $data['filename'];
}
} else {
if (file_exists($all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber'])) {
$res['code'] = 1;
$res['msg'] = 'waiting';
$res['file_path'] = '';
}
}
return $res;
}
}
I have written a detailed report, please visit this link to check
https://github.com/crmeb/CRMEB/issues/77
my mail box:[email protected]
Best regards |
|---|
| ソース | ⚠️ https://github.com/crmeb/CRMEB/issues/77 |
|---|
| ユーザー | keyman (UID 44935) |
|---|
| 送信 | 2023年04月14日 01:30 (3 年 ago) |
|---|
| モデレーション | 2023年04月28日 18:57 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 227716 [Zhong Bang CRMEB 4.6.0 SystemAttachmentServices.php videoUpload filename 特権昇格] |
|---|
| ポイント | 20 |
|---|