### 简要描述: ### 详细说明: 在mailattrFw.php中 ``` <?php require_once "config/config.php"; require_once "include/template.php"; require_once "include/func.php"; require_once 'include/right.php'; require_once 'include/func_login.php'; require_once "include/auth.php"; require_once "include/any_func.php"; header('Content-type: image/jpeg'); //以图片方式输出 echo file_get_contents($SESSION['maildir']."/tmp/".$F_cid); $SESSION['maildir']是固定值,$F_cid为从客户端获取的 ?> ``` 其中$F_cid可控,从客户端获取,可以通过../跳转字符,跳转到相应目录进行读取。。 如默认状态下$SESSION['maildir']为:/mail/xxx.com/xxx/Maildir/ $F_cid可设置为:../../../../../etc/passwd 即可读取passwd内容 [<img src="https://images.seebug.org/upload/201405/19093256e28cf0cf89fdd8f679741e023613851f.jpg" alt="XL~_5$_3XP15YQFM8M`VQGW.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/19093256e28cf0cf89fdd8f679741e023613851f.jpg) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/19093256e28cf0cf89fdd8f679741e023613851f.jpg"...
### 简要描述: ### 详细说明: 在mailattrFw.php中 ``` <?php require_once "config/config.php"; require_once "include/template.php"; require_once "include/func.php"; require_once 'include/right.php'; require_once 'include/func_login.php'; require_once "include/auth.php"; require_once "include/any_func.php"; header('Content-type: image/jpeg'); //以图片方式输出 echo file_get_contents($SESSION['maildir']."/tmp/".$F_cid); $SESSION['maildir']是固定值,$F_cid为从客户端获取的 ?> ``` 其中$F_cid可控,从客户端获取,可以通过../跳转字符,跳转到相应目录进行读取。。 如默认状态下$SESSION['maildir']为:/mail/xxx.com/xxx/Maildir/ $F_cid可设置为:../../../../../etc/passwd 即可读取passwd内容 [<img src="https://images.seebug.org/upload/201405/19093256e28cf0cf89fdd8f679741e023613851f.jpg" alt="XL~_5$_3XP15YQFM8M`VQGW.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/19093256e28cf0cf89fdd8f679741e023613851f.jpg) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/19093256e28cf0cf89fdd8f679741e023613851f.jpg" alt="XL~_5$_3XP15YQFM8M`VQGW.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/19093256e28cf0cf89fdd8f679741e023613851f.jpg)
