Xaraya是Xaraya团队开发的一套开源的内容管理解决方案与开发框架,它包含了创建动态的跨平台内容管理系统所需要的基础模块和工具。 Xaraya的fopen()中存在文件破坏漏洞,可能导致拒绝服务。xarMLSXML2PHPBackend.php中的漏洞代码如下: ... function create($ctxType, $ctxName) { assert(\'\'!empty($this->baseDir)\'\'); assert(\'\'!empty($this->baseXMLDir)\'\'); $this->fileName = $this->baseDir; $this->xmlFileName = $this->baseXMLDir; if (!ereg(\"^[a-z]+:$\", $ctxType)) { list($prefix,$directory) = explode(\'\':\'\',$ctxType); if ($directory != \"\") { $this->fileName .= $directory . \"/\"; $this->xmlFileName .= $directory . \"/\"; } } $dirForMkDir = $this->fileName; if (!file_exists($dirForMkDir)) xarMLS__mkdirr($dirForMkDir, 0777); $this->fileName .= $ctxName . \".php\"; $this->xmlFileName .= $ctxName . \".xml\"; $xmlFileExists = false; if (file_exists($this->xmlFileName)) { if (!($fp1 = fopen($this->xmlFileName, \"r\"))) { xarLogMessage(\"Could not open XML input: \".$this->xmlFileName); } $data = fread($fp1, filesize($this->xmlFileName)); fclose($fp1); $xml_parser =...
Xaraya是Xaraya团队开发的一套开源的内容管理解决方案与开发框架,它包含了创建动态的跨平台内容管理系统所需要的基础模块和工具。 Xaraya的fopen()中存在文件破坏漏洞,可能导致拒绝服务。xarMLSXML2PHPBackend.php中的漏洞代码如下: ... function create($ctxType, $ctxName) { assert(\'\'!empty($this->baseDir)\'\'); assert(\'\'!empty($this->baseXMLDir)\'\'); $this->fileName = $this->baseDir; $this->xmlFileName = $this->baseXMLDir; if (!ereg(\"^[a-z]+:$\", $ctxType)) { list($prefix,$directory) = explode(\'\':\'\',$ctxType); if ($directory != \"\") { $this->fileName .= $directory . \"/\"; $this->xmlFileName .= $directory . \"/\"; } } $dirForMkDir = $this->fileName; if (!file_exists($dirForMkDir)) xarMLS__mkdirr($dirForMkDir, 0777); $this->fileName .= $ctxName . \".php\"; $this->xmlFileName .= $ctxName . \".xml\"; $xmlFileExists = false; if (file_exists($this->xmlFileName)) { if (!($fp1 = fopen($this->xmlFileName, \"r\"))) { xarLogMessage(\"Could not open XML input: \".$this->xmlFileName); } $data = fread($fp1, filesize($this->xmlFileName)); fclose($fp1); $xml_parser = xml_parser_create(); xml_parse_into_struct($xml_parser, $data, $vals, $index); xml_parser_free($xml_parser); $xmlFileExists = true; } else { xarLogMessage(\"MLS Could not find XML input: \".$this->xmlFileName); } $fp2 = @fopen ($this->fileName, \"w\" ); if ($fp2 !== false) { fputs($fp2, \'\'<?php\'\'.\"\n\"); fputs($fp2, \'\'global $xarML_PHPBackend_entries;\'\'.\"\n\"); fputs($fp2, \'\'global $xarML_PHPBackend_keyEntries;\'\'.\"\n\"); if ($xmlFileExists) { foreach ($vals as $node) { if (!array_key_exists(\'\'tag\'\',$node)) continue; if (!array_key_exists(\'\'value\'\',$node)) $node[\'\'value\'\'] = \'\'\'\'; if ($node[\'\'tag\'\'] == \'\'STRING\'\') { $node[\'\'value\'\'] = str_replace(\'\'\\'\'\'\', \'\'\\\\'\'\'\', $node[\'\'value\'\']); $start = \'\'$xarML_PHPBackend_entries[\\'\'\'\'.$node[\'\'value\'\'].\"\'\']\"; } elseif ($node[\'\'tag\'\'] == \'\'KEY\'\') { $node[\'\'value\'\'] = str_replace(\'\'\\'\'\'\', \'\'\\\\'\'\'\', $node[\'\'value\'\']); $start = \ \'\'$xarML_PHPBackend_keyEntries[\\'\'\'\'.$node[\'\'value\'\'].\"\'\']\"; } elseif ($node[\'\'tag\'\'] == \ \'\'TRANSLATION\'\') { if ($this->outCharset != \'\'utf-8\'\') { $node[\'\'value\'\'] = \ $GLOBALS[\'\'xarMLS_newEncoding\'\']->convert($node[\'\'value\'\'], \'\'utf-8\'\', $this->outCharset, \ 0); } $node[\'\'value\'\'] = str_replace(\'\'\\'\'\'\', \'\'\\\\'\'\'\', $node[\'\'value\'\']); if (!empty($node[\'\'value\'\'])) { fputs($fp2, $start . \" = \'\'\".$node[\'\'value\'\'].\"\'\';\n\"); } } } } fputs($fp2, \"?>\"); fclose($fp2); } else { xarLogMessage(\"Could not create file: \".$this->fileName); global $xarML_PHPBackend_entries; global $xarML_PHPBackend_keyEntries; if ($xmlFileExists) { foreach ($vals as $node) { if (!array_key_exists(\'\'tag\'\',$node)) continue; if (!array_key_exists(\'\'value\'\',$node)) $node[\'\'value\'\'] = \'\'\'\'; if ($node[\'\'tag\'\'] == \'\'STRING\'\') { $node[\'\'value\'\'] = str_replace(\'\'\\'\'\'\', \'\'\\\\'\'\'\', $node[\'\'value\'\']); $entryIndex = $node[\'\'value\'\']; $entryType = \'\'string\'\'; } elseif ($node[\'\'tag\'\'] == \'\'KEY\'\') { $node[\'\'value\'\'] = str_replace(\'\'\\'\'\'\', \'\'\\\\'\'\'\', $node[\'\'value\'\']); $entryIndex = $node[\'\'value\'\']; $entryType = \'\'key\'\'; } elseif ($node[\'\'tag\'\'] == \'\'TRANSLATION\'\') { if ($this->outCharset != \'\'utf-8\'\') { $node[\'\'value\'\'] = \ $GLOBALS[\'\'xarMLS_newEncoding\'\']->convert(