SiteEngine CMS 5.1.0 文件上传漏洞

<?php /*********************/ /* */ /* Version : 5.1.0 */ /* Author : RM */ /* Comment : 071223 */ /* */ /*********************/ function disuploadedfile( $file ) { return function_exists( "is_uploaded_file" ) && is_uploaded_file( $file ) ? TRUE : FALSE; } function upload( $dir = "", $thumb = "", $avatar = "", $allowed = array( ), $random = 1, $varname = "photo" ) { global $db; global $tablepre; global $extension; global $typemaxsize; global $allowsetattachperm; global $referer; global $attachperm; global $module; global $classid; global $config_watermark; global $config_watermarkfont; global $attachsave; global $attachdir; global $maxattachsize; global $maxsizeperday; global $attachextensions; global $site_engine_root; global $resizewidth; global $resizeheight; global $uploaddir; global $sesettings; $attachments = $attacharray = array( ); if ( is_array( $_FILES ) && !empty( $_FILES ) ) //≈–∂œ…œ¥´Œƒº˛≤Œ ˝Œ™ ˝◊È { foreach ( $GLOBALS['_FILES'] as $k => $v ) //»°µ√»´æ÷…œ¥´Œƒº˛£¨∂‡Œƒº˛¥¶¿Ì { foreach ( $GLOBALS['_FILES'][$k] as $key => $var ) { if ( isset( $_FILES[$k] ) && is_array( $_FILES[$k] ) && $_FILES[$k]['error'] != 4 ) { if ( is_array( $var ) ) { foreach ( $var as $id => $val ) //∂‡Œƒº˛…œ¥´ { $attachments[$k][$id][$key] = $val; $attachments[$k][$id]['module'] = $k; $attachments[$k][$id]['description'] = $_POST[$k."description"][$id]; } } else //µ•Œƒº˛…œ¥´ { $attachments[$k][0] = $v; $attachments[$k][0]['module'] = $k; $attachments[$k][0]['description'] = $_POST[$k."description"][$id]; } } } } } $newattachments = array( ); if ( is_array( $attachments ) ) //—È÷§ «∑ÒŒ™ ˝◊È { foreach ( $attachments as $key => $value ) { foreach ( $value as $k => $v ) { $newattachments[] = $v; //…œ¥´±‰¡ø◊È∫œ≥… ˝◊È } } } foreach ( $newattachments as $key => $attach ) { $attach_saved = false; if ( !( $attach['tmp_name'] != "none" && $attach['tmp_name'] && $attach['name'] ) ) //ºŸ»Á…œ¥´Œƒº˛≤ªŒ™ø’ { } else { $attach['name'] = $filename = str_replace( " ", "", $attach['name'] ); //»•µÙŒƒº˛√˚µƒø’∏Ò $attach['ext'] = $extension = strtolower( fileext( $attach['name'] ) ); //»°µ√Œƒº˛µƒ∫Û◊∫√˚≤¢±‰≥…–°–¥ //◊™“ÂŒƒº˛∫Û◊∫√˚µƒ’˝‘ڱ̥ԠΩ◊÷∑˚£¨≤¢∆•≈‰∫œ∑®µƒŒƒº˛∫Û◊∫√˚ if ( $attachextensions && !preg_match( "/(^|\\s|,)".preg_quote( $attach['ext'], "/" )."(\$|\\s|,)/i", $attachextensions ) ) { //»Áπ˚≤ª∆•≈‰ message( $GLOBALS['l_site']['uploadexterror'], $referer ); } //—È÷§Œƒº˛¥Û–° if ( !$attach['size'] || $maxattachsize && $maxattachsize < $attach['size'] ) { message( $GLOBALS['l_site']['toobig'], $referer ); } if ( $attachsave ) //»´æ÷ø™πÿ£¨π¿º∆ «‘ –Ì¥¢¥Ê { if ( $dir ) //»Áπ˚…Ë÷√¡À¥¢¥Êƒø¬º { $attach_subdir = $dir; } else { switch ( $attachsave ) //—°‘Ò¥¢¥Êƒ£ Ω£®√ø÷÷ƒ£ Ωµƒƒø¬º√˚≤ª“ª—˘£© { case 1 : $attach_subdir = $module; break; case 2 : $attach_subdir = "ext_".$extension; break; case 3 : $attach_subdir = "month_".date( "ym" ); break; case 4 : $attach_subdir = "day_".date( "ymd" ); } } $attach_dir = $attachdir."/".$attach_subdir; //µ√µΩ¥Ê¥¢µƒæ¯∂‘¬∑æ∂ if ( !is_dir( $attachdir."/".$module ) ) //≈–∂œ¥¢¥Êƒ£ Ω1 µƒæ¯∂‘¬∑æ∂ { @mkdir( $attachdir."/".$module, 511 ); @chmod( $$attachdir."/".$module, 511 ); @fclose( @fopen( $attachdir."/".$module."/index.htm", "w" ) ); if ( $module == "photo" && !is_dir( $site_engine_root.$uploaddir."/photo/thumbs" ) ) { @mkdir( $site_engine_root.$uploaddir."/photo/thumbs", 511 ); } } if ( !is_dir( $attach_dir ) ) //≈–∂œ¥¢¥Êƒ£ Ω2 µƒæ¯∂‘¬∑æ∂ { @mkdir( $attach_dir, 511 ); @chmod( $attach_dir, 511 ); @fclose( @fopen( $attach_dir."/index.htm", "w" ) ); } $attach['attachment'] = $attach_subdir."/"; } else //≤ª‘ –̥ʥ¢µƒ«Èøˆ£¨ ‹”∞œÏƒø¬ºŒ™ø’ { $attach['attachment'] = ""; } //Œƒº˛√˚¥¶¿Ì $filename = substr( $filename, 0, strlen( $filename ) - strlen( $extension ) - 1 ); //»°≥ˆŒƒº˛µƒ∫Û◊∫√˚÷Æ∫Û µ√≥ˆ’Ê µµƒŒƒº˛√˚ if ( preg_match( "/([-ˇ]|\\%)+/s", $filename ) ) //»Áπ˚Œƒº˛√˚¥Ê‘⁄∑«∑®◊÷∑˚ { $filename = str_replace( "/", "", base64_encode( substr( $filename, 0, 20 ) ) ); //»°Œƒº˛√˚«∞20Œª ˝£¨”√base64Ω¯––±‡¬Î£¨»ª∫Û∞—◊™“Â∑˚»•µÙ } if ( $avatar ) //»Áπ˚…Ë÷√¡Àƒ≥∏ˆÕ∑œÒµƒ≤Œ ˝ { //∏Ù“ª∏ˆ±Íµ„∑˚∫≈æÕΩ´ .£®µ„£© ◊™ªØŒ™ _ £®œ¬ªÆœfl£© $attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", $avatar.".gif" ); } else if ( $random == 1 ) //Àʪ˙≤Œ ˝Œ™1 { $attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", substr( $filename, 0, 64 )."_".random( 6 ).".".$extension ); //Àʪ˙…˙≥…Œƒº˛√˚ } else { $attach['attachment'] .= preg_replace( "/(\\.)(php|phtml|pwml|php3|php4|php|php2|inc|jsp|exe|dll|asp|aspx|cgi|fcgi|pl|reg)(\\.|\$)/i", "\\1_\\2\\3", substr( $filename, 0, 64 ).".".$extension ); } $target = $attachdir."/".stripslashes( $attach['attachment'] ); if ( copy( $attach['tmp_name'], $target ) || function_exists( "move_uploaded_file" ) && move_uploaded_file( $attach['tmp_name'], $target ) ) { $attach_saved = true; } if ( !$attach_saved && is_readable( $attach['tmp_name'] ) ) { @$fp = @fopen( $attach, "rb" ); @flock( $fp, 2 ); @$attachedfile = @fread( $fp, $attach['size'] ); @fclose( $fp ); @$fp = @fopen( $target, "wb" ); @flock( $fp, 2 ); if ( @fwrite( $fp, $attachedfile ) ) { $attach_saved = true; } @chmod( $site_engine_root.$uploaddir.$attach['attachment'], 511 ); @fclose( $fp ); } if ( $attach_saved ) { if ( is_array( $attach ) && $thumb == 1 && $attach['size'] ) { do { require_once( $site_engine_root."lib/photo.php" ); $exif = new phpexifreader( $site_engine_root.$uploaddir.$attach['attachment'] ); $exif->processfile( ); $photoinfo = $exif->getimageinfo( ); if ( ( strtolower( $attach['type'] ) == "image/pjpeg" || $attach['type'] == "image/jpeg" ) && function_exists( "imagecreatefromjpeg" ) ) { $im = @imagecreatefromjpeg( $attach['tmp_name'] ); } else { if ( $var['type'] == "image/x-png" && function_exists( "imagecreatefrompng" ) ) { $im = @imagecreatefrompng( $attach['tmp_name'] ); } else if ( !( $var['type'] == "image/gif" && function_exists( "imagecreatefromgif" ) ) ) { break; } else { $im = @imagecreatefromgif( $attach['tmp_name'] ); continue; } } $name = ""; if ( $im ) { $name = resizeimage( $im, $GLOBALS['photosystem']['maxsize'], $GLOBALS['photosystem']['maxsize'], $attach['attachment'], 1 ); } if ( $sesettings['system']['photosize'] ) { $name1 = resizeimage( $im, $sesettings['system']['photosize'], $sesettings['system']['photosize'], $attach['attachment'] ); imagedestroy( $im ); } if ( is_array( $photoinfo ) && $photosystem['exif'] == 1 ) { foreach ( $photoinfo as $k => $v ) { $k = strtolower( $k ); $attach[$k] = shtmlspecialchars( $v ); } } $attach['thumb'] = $name; $attach[$key] = $attach['module']; } while ( 0 ); } $img_info = @getimagesize( $target ); if ( in_array( $attach['ext'], array( "jpg", "gif", "png", "bmp" ) ) && function_exists( "getimagesize" ) && !getimagesize( $target ) && $admincp != 1 ) { @unlink( $target ); } else { if ( in_array( $attach['ext'], array( "jpg", "gif", "png" ) ) && function_exists( "getimagesize" ) && function_exists( "imagettftext" ) && @getimagesize( $target ) && isset( $_POST[$attach['module']."_watermark"] ) && intval( $_POST[$attach['module']."_watermark"] ) == 1 ) { require_once( $site_engine_root."lib/watermark.php" ); $tmp_image = new gimage( ); if ( !ereg( "^http://", $config_watermark ) ) { $tmp_image->wm_text = $config_watermark; } else { $tmp_image->wm_image_name = $config_watermark; } $tmp_image->wm_text_font = $site_engine_root."data/fonts/".$config_watermarkfont; $tmp_image->save_file = $target; $tmp_image->create( $target ); } $attach['perm'] = $allowsetattachperm ? $attachperm[$key] : 0; $attach['key'] = $key; $attacharray[] = $attach; } } else { message( $GLOBALS['l_site']['saveerror'], $referer ); } } } unset( $extension ); return !empty( $attacharray ) ? $attacharray : false; } function resizeimage( $im, $maxwidth, $maxheight, $name, $isthumb = "" ) { global $module; global $attachdir; global $site_engine_root; if ( $isthumb == 1 ) { $name = str_replace( $module, $module."/thumbs", $name ); } else { $name = str_replace( $module, $module, $name ); } $width = imagesx( $im ); $height = imagesy( $im ); $resizewidth = $resizeheight = false; if ( $maxwidth && $maxwidth < $width || $maxheight && $maxheight < $height ) { if ( $maxwidth && $maxwidth < $width ) { $widthratio = $maxwidth / $width; $resizewidth = true; } if ( $maxheight && $maxheight < $height ) { $heightratio = $maxheight / $height; $resizeheight = true; } if ( $resizewidth && $resizeheight ) { if ( $widthratio < $heightratio ) { $ratio = $widthratio; } else { $ratio = $heightratio; } } else if ( $resizewidth ) { $ratio = $widthratio; } else if ( $resizeheight ) { $ratio = $heightratio; } $newwidth = $width * $ratio; $newheight = $height * $ratio; if ( function_exists( "imagecopyresampled" ) ) { $newim = imagecreatetruecolor( $newwidth, $newheight ); imagecopyresampled( $newim, $im, 0, 0, 0, 0, $newwidth, $newheight, $width, $height ); } else { $newim = imagecreate( $newwidth, $newheight ); imagecopyresized( $newim, $im, 0, 0, 0, 0, $newwidth, $newheight, $width, $height ); } @imagejpeg( $newim, $attachdir."/".$name ); imagedestroy( $newim ); } else { @imagejpeg( $im, $attachdir."/".$name ); } return $name; } if ( !defined( "IN_SITEENGINE" ) ) { exit( "Access Denied" ); } $maxgroupcache = groupcache( $usergroup, array( "maxattachsize", "attachextensions" ), 1 ); $maxattachsize = $maxgroupcache['maxattachsize'] ? $maxgroupcache['maxattachsize'] : 1024000000; $attachsave = 1; $attachdir = $site_engine_root.$uploaddir; eval( "\$header = \"".$tpl->get( "header", $templates, $language )."\";" ); $debuginfo = gettotaltime( ); eval( "\$footer = \"".$tpl->get( "footer", $templates, $language )."\";" ); if ( !empty( $usergroup ) && $maxgroupcache['attachextensions'] ) { $attachextensions = $maxgroupcache['attachextensions']; } ?>