由于文件get_linkage.php对于用户提交的变量未过滤,导致本地文件包含漏洞的产生。 相关代码如下: /api/ get_linkage.php
- case ‘ajax_select’:
- $parent_id = $_GET[‘parent_id’] ? intval($_GET[‘parent_id’]) : 0;
- $keyid = $_GET[‘keyid’];
- ajax_select($parent_id,$keyid);
- 函数ajax_select在相同文件中有定义
- function ajax_select($parentid,$keyid) {
- $datas = getcache($keyid,’linkage’);
- $infos = $datas[‘data’];
- $json_str = “[“;
- $json = array();
- foreach($infos AS $k=>$v) {
- if($v[‘parentid’] == $parentid) {
- $r = array(‘region_id’ => $v[‘linkageid’],
- ‘region_name’ => $v[‘name’]);
- $json[] = JSON($r);
- }
- }
- $json_str .= implode(‘,’,$json);
- $json_str .= “]”;
- echo $json_str;
- }
变量$keyid未经过滤进入到函数getcache中 Getcache函数在文件/ phpcms/libs/functions/ global.func.php中
- function getcache($name, $filepath=”, $type=’file’, $config=”) {
- pc_base::load_sys_class(‘cache_factory’,”,0);
- if($config) {
- $cacheconfig = pc_base::load_config(‘cache’);
- $cache = cache_factory::get_instance($cacheconfig)->get_cache($config);
- } else {
- $cache = cache_factory::get_instance()->get_cache($type);
- }
- return $cache->get($name, ”, ”, $filepath);
- }
$cache->get()在文件/phpcms/libs/classes/cache_file.class.php
- public function get($name, $setting = ”, $type = ‘data’, $module = ROUTE_M) {
- $this->get_setting($setting);
- if(empty($type)) $type = ‘data’;
- if(empty($module)) $module = ROUTE_M;
- $filepath = CACHE_PATH.’caches_’.$module.’/caches_’.$type.’/’;
- $filename = $name.$this->_setting[‘suf’];
- if (!file_exists($filepath.$filename)) {
- return false;
- } else {
- if($this->_setting[‘type’] == ‘array’) {
- $data = @require($filepath.$filename);
最终$keyid变量变为$filename的一部分,造成本地文件包含漏洞的产生
测试方法:
http://sebug.net/appdir/phpcms/api.php?op=get_linkage&act=ajax_select&parent_id=1&keyid=xxx../../
安全建议:
对变量$keyid做过滤
0 条评论。