제출 #113972: Crmeb Commodity management system file upload vulnerability정보

제목Crmeb Commodity management system file upload vulnerability
설명This is about the file upload vulnerability of Crmeb commodity management system The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . '/' . $data['filename'] . '__ ' . $data['chunkNumber'];, it splices $data['chunkNumber'] at the end, which is a controllable parameter transfer on the client side, so that the value of $data['chunkNumber'] can be modified to The suffix is ​​php, which causes the written malicious code to be parsed and executed. public function videoUpload($data, $file) { $public_dir = app()->getRootPath() . 'public'; $dir = '/uploads/attach/' . date('Y') . DIRECTORY_SEPARATOR . date('m') . DIRECTORY_SEPARATOR . date('d'); $all_dir = $public_dir . $dir; if (!is_dir($all_dir)) mkdir($all_dir, 0777, true); $filename = $all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber']; move_uploaded_file($file['tmp_name'], $filename); $res['code'] = 0; $res['msg'] = 'error'; $res['file_path'] = ''; if ($data['chunkNumber'] == $data['totalChunks']) { $blob = ''; for ($i = 1; $i <= $data['totalChunks']; $i++) { $blob .= file_get_contents($all_dir . '/' . $data['filename'] . '__' . $i); } file_put_contents($all_dir . '/' . $data['filename'], $blob); for ($i = 1; $i <= $data['totalChunks']; $i++) { @unlink($all_dir . '/' . $data['filename'] . '__' . $i); } if (file_exists($all_dir . '/' . $data['filename'])) { $res['code'] = 2; $res['msg'] = 'success'; $res['file_path'] = sys_config('site_url') . $dir . '/' . $data['filename']; } } else { if (file_exists($all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber'])) { $res['code'] = 1; $res['msg'] = 'waiting'; $res['file_path'] = ''; } } return $res; } } I have written a detailed report, please visit this link to check https://github.com/crmeb/CRMEB/issues/77 my mail box:[email protected] Best regards
원천⚠️ https://github.com/crmeb/CRMEB/issues/77
사용자
 keyman (UID 44935)
제출2023. 04. 14. AM 01:30 (3 연령 ago)
모더레이션2023. 04. 28. PM 06:57 (15 days later)
상태수락
VulDB 항목227716 [Zhong Bang CRMEB 4.6.0 SystemAttachmentServices.php videoUpload filename 권한 상승]
포인트들20

Do you know our Splunk app?

Download it now for free!