| 제목 | logic vulnerability exists in zzzcms |
|---|
| 설명 | The zzzcms system is a free, open source website building system in PHP language. It adopts an MVC-like structure, has a simple framework and is easy to learn. Born in 2016, its original design was to allow users to build their own websites quickly and conveniently. The system is developed using PHP language and supports multiple content management systems. Compared with other content management systems, ZZZCMS is characterized by its simple operation, easy to use, and good scalability and security.
[suggested description]
Zzzcms has a logical flaw. The backup file path when restoring the database backup file is controllable, and you can upload your own forged malicious database backup file. As a result, attackers can use this vulnerability to modify the passwords of other users without permission, destroy the site database structure, and even cause the site to crash. Or even Use sql statements to create php Trojans when knowing the physical path, resulting in getshell
[Vulnerability Type]
logic vulnerability
[Vendor of Product]
http://zzzcms.com/index.html
[Affected Product Code Base]
zzzCMS Dev.2.1.7
[Affected Component]
file:/admin/save.php
affected function:restore()
function restore(){
$conf=_SERVER('conf');
$path=safe_url(getform('path','post'));
$backpath=DOC_DIR.$path;
$username=get_cookie('adminname');
$time= date('Y-m-d h:i:s',time());
$ip=ip();
str_log('数据库还原,原路径'.$path.'备份路径:'.$backpath.'管理员:'.$username.'时间:'.$time.'IP:'.$ip,'data');
switch ($conf['db']['type']) {
case 'sqlite':
$name=randname().'.db';
$datapath=SITE_DIR.$conf['db']['sqlitepath'].$name;
if (file_backup($backpath,$datapath)){
echo save_config(array('sqlitename'=>$name));
}else{
echo 0;
}
break;
case 'mysql':
if (is_file($backpath)) {
$sql = load_file($backpath);
$data = explode(';'.PHP_EOL, $sql);
foreach ($data as $value) {
if ($value){
echo db_exec($value);
}
}
}
break;
}
}
[Attack Type]
Remote
[Impact]
Code Execution |
|---|
| 원천 | ⚠️ https://github.com/yhy217/zzzcms-vul/issues/1 |
|---|
| 사용자 | jamspilly (UID 54414) |
|---|
| 제출 | 2023. 09. 19. AM 04:58 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 09. 29. AM 07:25 (10 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 240872 [ZZZCMS 2.1.7 Database Backup File /admin/save.php restore 권한 상승] |
|---|
| 포인트들 | 20 |
|---|