| 标题 | Crmeb Commodity management system file upload vulnerability |
|---|
| 描述 | This is about the file upload vulnerability of Crmeb commodity management system
The defect code is in the $filename variable in the videoUpload function in the \crmeb\app\services\system\attachment\SystemAttachmentServices.php file, that is, $filename = $all_dir . '/' . $data['filename'] . '__ ' . $data['chunkNumber'];, it splices $data['chunkNumber'] at the end, which is a controllable parameter transfer on the client side, so that the value of $data['chunkNumber'] can be modified to The suffix is php, which causes the written malicious code to be parsed and executed.
public function videoUpload($data, $file)
{
$public_dir = app()->getRootPath() . 'public';
$dir = '/uploads/attach/' . date('Y') . DIRECTORY_SEPARATOR . date('m') . DIRECTORY_SEPARATOR . date('d');
$all_dir = $public_dir . $dir;
if (!is_dir($all_dir)) mkdir($all_dir, 0777, true);
$filename = $all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber'];
move_uploaded_file($file['tmp_name'], $filename);
$res['code'] = 0;
$res['msg'] = 'error';
$res['file_path'] = '';
if ($data['chunkNumber'] == $data['totalChunks']) {
$blob = '';
for ($i = 1; $i <= $data['totalChunks']; $i++) {
$blob .= file_get_contents($all_dir . '/' . $data['filename'] . '__' . $i);
}
file_put_contents($all_dir . '/' . $data['filename'], $blob);
for ($i = 1; $i <= $data['totalChunks']; $i++) {
@unlink($all_dir . '/' . $data['filename'] . '__' . $i);
}
if (file_exists($all_dir . '/' . $data['filename'])) {
$res['code'] = 2;
$res['msg'] = 'success';
$res['file_path'] = sys_config('site_url') . $dir . '/' . $data['filename'];
}
} else {
if (file_exists($all_dir . '/' . $data['filename'] . '__' . $data['chunkNumber'])) {
$res['code'] = 1;
$res['msg'] = 'waiting';
$res['file_path'] = '';
}
}
return $res;
}
}
I have written a detailed report, please visit this link to check
https://github.com/crmeb/CRMEB/issues/77
my mail box:[email protected]
Best regards |
|---|
| 来源 | ⚠️ https://github.com/crmeb/CRMEB/issues/77 |
|---|
| 用户 | keyman (UID 44935) |
|---|
| 提交 | 2023-04-14 01時30分 (3 年前) |
|---|
| 管理 | 2023-04-28 18時57分 (15 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 227716 [Zhong Bang CRMEB 4.6.0 SystemAttachmentServices.php videoUpload filename 权限提升] |
|---|
| 积分 | 20 |
|---|