Submeter #113972: Crmeb Commodity management system file upload vulnerabilityinformação

TítuloCrmeb Commodity management system file upload vulnerability
DescriçãoThis is about the file upload vulnerability of Crmeb commodity management system The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . '/' . $data['filename'] . '__ ' . $data['chunkNumber'];, it splices $data['chunkNumber'] at the end, which is a controllable parameter transfer on the client side, so that the value of $data['chunkNumber'] can be modified to The suffix is ​​php, which causes the written malicious code to be parsed and executed. public function videoUpload($data, $file) { $public_dir = app()->getRootPath() . 'public'; $dir = '/uploads/attach/' . date('Y') . DIRECTORY_SEPARATOR . date('m') . DIRECTORY_SEPARATOR . date('d'); $all_dir = $public_dir . $dir; if (!is_dir($all_dir)) mkdir($all_dir, 0777, true); $filename = $all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber']; move_uploaded_file($file['tmp_name'], $filename); $res['code'] = 0; $res['msg'] = 'error'; $res['file_path'] = ''; if ($data['chunkNumber'] == $data['totalChunks']) { $blob = ''; for ($i = 1; $i <= $data['totalChunks']; $i++) { $blob .= file_get_contents($all_dir . '/' . $data['filename'] . '__' . $i); } file_put_contents($all_dir . '/' . $data['filename'], $blob); for ($i = 1; $i <= $data['totalChunks']; $i++) { @unlink($all_dir . '/' . $data['filename'] . '__' . $i); } if (file_exists($all_dir . '/' . $data['filename'])) { $res['code'] = 2; $res['msg'] = 'success'; $res['file_path'] = sys_config('site_url') . $dir . '/' . $data['filename']; } } else { if (file_exists($all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber'])) { $res['code'] = 1; $res['msg'] = 'waiting'; $res['file_path'] = ''; } } return $res; } } I have written a detailed report, please visit this link to check https://github.com/crmeb/CRMEB/issues/77 my mail box:[email protected] Best regards
Fonte⚠️ https://github.com/crmeb/CRMEB/issues/77
Utilizador
 keyman (UID 44935)
Submissão14/04/2023 01h30 (há 3 anos)
Moderação28/04/2023 18h57 (15 days later)
EstadoAceite
Entrada VulDB227716 [Zhong Bang CRMEB 4.6.0 SystemAttachmentServices.php videoUpload filename Elevação de Privilégios]
Pontos20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!