| 제목 | RapidCMS has an arbitrary file upload vulnerability |
|---|
| 설명 | [Suggested description]
An arbitrary file upload vulnerability in /admin/config/uploadicon.php which allows attackers to getshell
RapidCMS Dev.1.3.1 was discovered to contain an arbitrary file upload vulnerability in /admin/config/uploadicon.php which leads to getshell
[Vulnerability Type]
arbitrary file upload
[Vendor of Product]
https://github.com/OpenRapid/rapidcms
[Affected Product Code Base]
RapidCMS Dev.1.3.1
[Affected Component]
/admin/config/uploadicon.php
affected function: isImg()
function isImg($fileName)
{
$file = fopen($fileName, "rb");
$bin = fread($file, 2); // 只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'] . $strInfo['chars2']);
$fileType = '';
if ($typeCode == 255216 /*jpg*/ || $typeCode == 7173 /*gif*/ || $typeCode == 13780 /*png*/) {
return $typeCode;
} else {
// echo '"仅允许上传jpg/jpeg/gif/png格式的图片!';
return false;
}
}
[Attack Type]
Remote
[Impact]
Code Execution |
|---|
| 원천 | ⚠️ https://github.com/yhy217/rapidcms-vul/issues/5 |
|---|
| 사용자 | jamspilly (UID 54414) |
|---|
| 제출 | 2023. 09. 19. AM 02:51 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 09. 29. AM 07:22 (10 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 240871 [OpenRapid RapidCMS 1.3.1 uploadicon.php isImg fileName 권한 상승] |
|---|
| 포인트들 | 20 |
|---|