由于Discuz!的admin\runwizard.inc.php里saverunwizardhistory()写文件操作没有限制导致执行代码漏洞. 在文件admin\runwizard.inc.php里代码: $runwizardhistory = array(); $runwizardfile = DISCUZ_ROOT.'./forumdata/logs/runwizardlog.php'; if($fp = @fopen($runwizardfile, 'r')) { $runwizardhistory = @unserialize(fread($fp, 99999)); fclose($fp); } ....... if(submitcheck('step1submit')) { $runwizardhistory['step1']['size'] = $size; $runwizardhistory['step1']['safe'] = $safe; $runwizardhistory['step1']['func'] = $func; saverunwizardhistory(); } ........ function saverunwizardhistory() { global $runwizardfile, $runwizardhistory; $fp = fopen($runwizardfile, 'w'); fwrite($fp, serialize($runwizardhistory)); fclose($fp); } 上面代码可以看出来当有后台权限时,可以直接得到webshell.如果结合xss[如:SODB-2008-01,SODB-2008-02..等] crsf[如:SODB-2008-03]等漏洞,可以直接通过admin身份远程写入webshell执行代码. 2008-10 今天发布的dz7 bt版本[1]已经fix这个漏洞了: function saverunwizardhistory() { global $runwizardfile, $runwizardhistory; $fp = fopen($runwizardfile, 'w'); $s = '<?php exit;?>'; $s .=...
由于Discuz!的admin\runwizard.inc.php里saverunwizardhistory()写文件操作没有限制导致执行代码漏洞. 在文件admin\runwizard.inc.php里代码: $runwizardhistory = array(); $runwizardfile = DISCUZ_ROOT.'./forumdata/logs/runwizardlog.php'; if($fp = @fopen($runwizardfile, 'r')) { $runwizardhistory = @unserialize(fread($fp, 99999)); fclose($fp); } ....... if(submitcheck('step1submit')) { $runwizardhistory['step1']['size'] = $size; $runwizardhistory['step1']['safe'] = $safe; $runwizardhistory['step1']['func'] = $func; saverunwizardhistory(); } ........ function saverunwizardhistory() { global $runwizardfile, $runwizardhistory; $fp = fopen($runwizardfile, 'w'); fwrite($fp, serialize($runwizardhistory)); fclose($fp); } 上面代码可以看出来当有后台权限时,可以直接得到webshell.如果结合xss[如:SODB-2008-01,SODB-2008-02..等] crsf[如:SODB-2008-03]等漏洞,可以直接通过admin身份远程写入webshell执行代码. 2008-10 今天发布的dz7 bt版本[1]已经fix这个漏洞了: function saverunwizardhistory() { global $runwizardfile, $runwizardhistory; $fp = fopen($runwizardfile, 'w'); $s = '<?php exit;?>'; $s .= serialize($runwizardhistory); fwrite($fp, $s); fclose($fp); } [1]:<a href=http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip target=_blank>http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip</a>
