由于文件/plugin.php对于用户提交的变量未过滤,导致本地文件包含漏洞的产生。 相关代码如下: 文件plugin.php <code> if(isset($_GET['id'])) { list($identification, $filename,$action) = explode('-', $_GET['id']); $filename = !empty($filename) ? $filename : $identification; $action = !empty($action) ? $action : 'init'; } $cache = getcache($identification,'plugins'); </code> 变量$identification的值来源于$_GET['id'],并进入函数getcache中 Getcache函数在文件/ phpcms/libs/functions/ global.func.php中 <code> function getcache($name, $filepath='', $type='file', $config='') { pc_base::load_sys_class('cache_factory','',0); if($config) { $cacheconfig = pc_base::load_config('cache'); $cache = cache_factory::get_instance($cacheconfig)->get_cache($config); } else { $cache = cache_factory::get_instance()->get_cache($type); } return $cache->get($name, '', '', $filepath); } $cache->get()在文件/phpcms/libs/classes/cache_file.class.php public function get($name, $setting = '', $type = 'data', $module = ROUTE_M) { $this->get_setting($setting); if(empty($type)) $type =...
由于文件/plugin.php对于用户提交的变量未过滤,导致本地文件包含漏洞的产生。 相关代码如下: 文件plugin.php <code> if(isset($_GET['id'])) { list($identification, $filename,$action) = explode('-', $_GET['id']); $filename = !empty($filename) ? $filename : $identification; $action = !empty($action) ? $action : 'init'; } $cache = getcache($identification,'plugins'); </code> 变量$identification的值来源于$_GET['id'],并进入函数getcache中 Getcache函数在文件/ phpcms/libs/functions/ global.func.php中 <code> function getcache($name, $filepath='', $type='file', $config='') { pc_base::load_sys_class('cache_factory','',0); if($config) { $cacheconfig = pc_base::load_config('cache'); $cache = cache_factory::get_instance($cacheconfig)->get_cache($config); } else { $cache = cache_factory::get_instance()->get_cache($type); } return $cache->get($name, '', '', $filepath); } $cache->get()在文件/phpcms/libs/classes/cache_file.class.php public function get($name, $setting = '', $type = 'data', $module = ROUTE_M) { $this->get_setting($setting); if(empty($type)) $type = 'data'; if(empty($module)) $module = ROUTE_M; $filepath = CACHE_PATH.'caches_'.$module.'/caches_'.$type.'/'; $filename = $name.$this->_setting['suf']; if (!file_exists($filepath.$filename)) { return false; } else { if($this->_setting['type'] == 'array') { $data = @require($filepath.$filename); </code> 最终$_GET['id']变量变为$filename的一部分 由于文件/plugin.php对于用户提交的变量未过滤,导致本地文件包含漏洞的产生。 相关代码如下: 文件plugin.php <pre class="prettyprint linenums"> if(isset($_GET['id'])) { list($identification, $filename,$action) = explode('-', $_GET['id']); $filename = !empty($filename) ? $filename : $identification; $action = !empty($action) ? $action : 'init'; } $cache = getcache($identification,'plugins'); </pre> 变量$identification的值来源于$_GET['id'],并进入函数getcache中 Getcache函数在文件/ phpcms/libs/functions/ global.func.php中 <pre class="prettyprint linenums"> function getcache($name, $filepath='', $type='file', $config='') { pc_base::load_sys_class('cache_factory','',0); if($config) { $cacheconfig = pc_base::load_config('cache'); $cache = cache_factory::get_instance($cacheconfig)->get_cache($config); } else { $cache = cache_factory::get_instance()->get_cache($type); } return $cache->get($name, '', '', $filepath); } $cache->get()在文件/phpcms/libs/classes/cache_file.class.php public function get($name, $setting = '', $type = 'data', $module = ROUTE_M) { $this->get_setting($setting); if(empty($type)) $type = 'data'; if(empty($module)) $module = ROUTE_M; $filepath = CACHE_PATH.'caches_'.$module.'/caches_'.$type.'/'; $filename = $name.$this->_setting['suf']; if (!file_exists($filepath.$filename)) { return false; } else { if($this->_setting['type'] == 'array') { $data = @require($filepath.$filename); </pre> 最终$_GET['id']变量变为$filename的一部分 PHPCMS V9.1.8 (20111014) 厂商补丁: PHPCMS ------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.phpcms.cn/
