由于Discuz!的admin\runwizard.inc.php里saverunwizardhistory()写文件操作没有限制导致执行代码漏洞.
在文件admin\runwizard.inc.php里代码:
$runwizardhistory = array();
$runwizardfile = DISCUZ_ROOT.'./forumdata/logs/runwizardlog.php';
if($fp = @fopen($runwizardfile, 'r')) {
$runwizardhistory = @unserialize(fread($fp, 99999));
fclose($fp);
}
.......
if(submitcheck('step1submit')) {
$runwizardhistory['step1']['size'] = $size;
$runwizardhistory['step1']['safe'] = $safe;
$runwizardhistory['step1']['func'] = $func;
saverunwizardhistory();
}
........
function saverunwizardhistory() {
global $runwizardfile, $runwizardhistory;
$fp = fopen($runwizardfile, 'w');
fwrite($fp, serialize($runwizardhistory));
fclose($fp);
}
上面代码可以看出来当有后台权限时,可以直接得到webshell.如果结合xss[如:SODB-2008-01,SODB-2008-02..等] crsf[如:SODB-2008-03]等漏洞,可以直接通过admin身份远程写入webshell执行代码.
2008-10
今天发布的dz7 bt版本[1]已经fix这个漏洞了:
function saverunwizardhistory() {
global $runwizardfile, $runwizardhistory;
$fp = fopen($runwizardfile, 'w');
$s = '<?php exit;?>';
$s .= serialize($runwizardhistory);
fwrite($fp, $s);
fclose($fp);
}
[1]:<a href=http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip target=_blank>http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip</a>
共 1 兑换了
京公网安备 11010502034610号
暂无评论