O-blog2.0.3的编辑器存在一个文件浏览漏洞,存在漏洞文件在于whizzylink.php和whizzypic.php,不过前一个可以浏览任意文件和目录,后一个只能浏览目录和图片,并能查看图片<br /> <br /> $docpath = $_REQUEST['d'];<br /> $extensions = $_REQUEST['x'] ? '/(' . $_REQUEST['x'] .')$/i' : '/\.(html|pdf|txt)$/i';<br /> $d = $_SERVER['DOCUMENT_ROOT'] . '/' . $docpath;<br /> $d = str_replace('//','/',$d);<br /> $dir = opendir($d);<br /> while ($file = readdir($dir)){<br /> $files[] = $file;<br /> }<br /> closedir($dir);<br /> usort($files, "insensitive"); //see function insensitive($a, $b)<br /> foreach ($files as $filename) {<br /> $filepath = "$d/$filename";<br /> $fsize = sprintf("%u", filesize($filepath)); //filesizes over 2Mb won't fit in an int so we unsign it<br /> $modtime = date ("d F Y H:i:s", filemtime($filepath)); //mtime is unix timestamp<br /> $tip = " Size: $fsize <br>Updated: $modtime ";<br />...
O-blog2.0.3的编辑器存在一个文件浏览漏洞,存在漏洞文件在于whizzylink.php和whizzypic.php,不过前一个可以浏览任意文件和目录,后一个只能浏览目录和图片,并能查看图片<br /> <br /> $docpath = $_REQUEST['d'];<br /> $extensions = $_REQUEST['x'] ? '/(' . $_REQUEST['x'] .')$/i' : '/\.(html|pdf|txt)$/i';<br /> $d = $_SERVER['DOCUMENT_ROOT'] . '/' . $docpath;<br /> $d = str_replace('//','/',$d);<br /> $dir = opendir($d);<br /> while ($file = readdir($dir)){<br /> $files[] = $file;<br /> }<br /> closedir($dir);<br /> usort($files, "insensitive"); //see function insensitive($a, $b)<br /> foreach ($files as $filename) {<br /> $filepath = "$d/$filename";<br /> $fsize = sprintf("%u", filesize($filepath)); //filesizes over 2Mb won't fit in an int so we unsign it<br /> $modtime = date ("d F Y H:i:s", filemtime($filepath)); //mtime is unix timestamp<br /> $tip = " Size: $fsize <br>Updated: $modtime ";<br /> if (is_dir($filepath) && $docpath) { //it's a directory<br /> if ($filename == '.'){ //current directory<br /> $dlist .= "<img src='/btn/dir.png'> $docpath ";<br /> } else if ($filename == '..') { //parent directory<br /> if($docpath) { //we're in a sub directory - no Up from root<br /> $updir = substr($docpath,0,strrpos($docpath,'/'));<br /> $dlist .= "<img src='/btn/back.png'><a href='$self?d=$updir'>Up</a>/<br>";<br /> }<br /> } else {<br /> $docpath = str_replace($_SERVER['DOCUMENT_ROOT'], "", $d);<br /> $dlist .= "<div style='float:left;width:20em'><img src='/btn/dir.png'><a href='$self?d=$docpath/$filename'>$filename</a></div>"; <br /> }<br /> } else if (preg_match($extensions,$filename) ) {<br /> $flist .= "<div style='float:left;width:20em'><a href='#' onclick='WantThis(\"$docpath/$filename\")'>$filename</a></div>";<br /> bo-blog2.0.3 <a href="http://www.bo-blog.com" target="_blank">http://www.bo-blog.com</a>
