| 标题 | RapidCMS has an arbitrary file upload vulnerability |
|---|
| 描述 | [Suggested description]
An arbitrary file upload vulnerability in /admin/config/uploadicon.php which allows attackers to getshell
RapidCMS Dev.1.3.1 was discovered to contain an arbitrary file upload vulnerability in /admin/config/uploadicon.php which leads to getshell
[Vulnerability Type]
arbitrary file upload
[Vendor of Product]
https://github.com/OpenRapid/rapidcms
[Affected Product Code Base]
RapidCMS Dev.1.3.1
[Affected Component]
/admin/config/uploadicon.php
affected function: isImg()
function isImg($fileName)
{
$file = fopen($fileName, "rb");
$bin = fread($file, 2); // 只读2字节
fclose($file);
$strInfo = @unpack("C2chars", $bin);
$typeCode = intval($strInfo['chars1'] . $strInfo['chars2']);
$fileType = '';
if ($typeCode == 255216 /*jpg*/ || $typeCode == 7173 /*gif*/ || $typeCode == 13780 /*png*/) {
return $typeCode;
} else {
// echo '"仅允许上传jpg/jpeg/gif/png格式的图片!';
return false;
}
}
[Attack Type]
Remote
[Impact]
Code Execution |
|---|
| 来源 | ⚠️ https://github.com/yhy217/rapidcms-vul/issues/5 |
|---|
| 用户 | jamspilly (UID 54414) |
|---|
| 提交 | 2023-09-19 02時51分 (3 年前) |
|---|
| 管理 | 2023-09-29 07時22分 (10 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 240871 [OpenRapid RapidCMS 1.3.1 uploadicon.php isImg fileName 权限提升] |
|---|
| 积分 | 20 |
|---|