### 简要描述: 360提交的漏洞,官方修复不严谨 ### 详细说明: http://bbs.webscan.360.cn/forum.php?mod=viewthread&tid=8613&extra=page%3D1 修复前: [<img src="https://images.seebug.org/upload/201305/2620592953d2008f856729d04991be8fac9d796d.png" alt="t01e585264ecda97929.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/2620592953d2008f856729d04991be8fac9d796d.png) 修复后(\core\api\shop_api.php): ``` if ( isset($_REQUEST['appname']) ) { $appName = preg_replace('/[^a-z0-1_~]/i', '', $_REQUEST['appname']); } elseif ( strpos($apiAct, ':') > 0 ) {// request plugin api list($appName, $apiAct) = explode(':', $apiAct); } elseif ( 0 === strpos($apiAct,'shopex_') ) { // 照顾"商品助理" $appName = 'goodsassistant'; } if ( $appName && file_exists(PLUGIN_DIR."/app/{$appName}/api/api_link.php") ) { $APIs = include PLUGIN_DIR."/app/{$appName}/api/api_link.php"; } else {// request traditional api $APIs = include CORE_DIR.'/api/include/api_link.php'; } ``` 看起来$appName =...
### 简要描述: 360提交的漏洞,官方修复不严谨 ### 详细说明: http://bbs.webscan.360.cn/forum.php?mod=viewthread&tid=8613&extra=page%3D1 修复前: [<img src="https://images.seebug.org/upload/201305/2620592953d2008f856729d04991be8fac9d796d.png" alt="t01e585264ecda97929.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/2620592953d2008f856729d04991be8fac9d796d.png) 修复后(\core\api\shop_api.php): ``` if ( isset($_REQUEST['appname']) ) { $appName = preg_replace('/[^a-z0-1_~]/i', '', $_REQUEST['appname']); } elseif ( strpos($apiAct, ':') > 0 ) {// request plugin api list($appName, $apiAct) = explode(':', $apiAct); } elseif ( 0 === strpos($apiAct,'shopex_') ) { // 照顾"商品助理" $appName = 'goodsassistant'; } if ( $appName && file_exists(PLUGIN_DIR."/app/{$appName}/api/api_link.php") ) { $APIs = include PLUGIN_DIR."/app/{$appName}/api/api_link.php"; } else {// request traditional api $APIs = include CORE_DIR.'/api/include/api_link.php'; } ``` 看起来$appName = preg_replace('/[^a-z0-1_~]/i', '', $_REQUEST['appname']);已经过滤掉了,但是再往下看:list($appName, $apiAct) = explode(':', $apiAct); 可以通过变量$apiAct去给$appName赋值 ### 漏洞证明: die($appName);测试看 http://127.0.0.1/api.php?act=可控路径:cc [<img src="https://images.seebug.org/upload/201305/262105536dee45efb442e93427f206f6e9645fad.jpg" alt="2013-05-26_210545.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/262105536dee45efb442e93427f206f6e9645fad.jpg) 后面还有file_exists函数做检查,所以只对多域名的虚拟机危害较大