zoukankan      html  css  js  c++  java
  • wordpress /wp-content/plugins/wp-symposium/server/php/UploadHandler.php File Arbitrary Upload Vul

    catalog

    1. 漏洞描述
    2. 漏洞触发条件
    3. 漏洞影响范围
    4. 漏洞代码分析
    5. 防御方法
    6. 攻防思考

    1. 漏洞描述

    Relevant Link:
    2. 漏洞触发条件
    3. 漏洞影响范围
    4. 漏洞代码分析

    /wp-content/plugins/wp-symposium/server/php/UploadHandler.php

    function __construct($options = null, $initialize = true, $error_messages = null) 
    { 
        if (isset($_POST['uploader_uid']) && isset($_POST['uploader_url'])) 
        {         
            $upload_dir = $_POST['uploader_dir'];
            $upload_url = $_POST['uploader_url'];
    
            $this->options = array(
            'script_url' => $this->get_full_url().'/',
            'upload_dir' => $upload_dir,
            'upload_url' => $upload_url,
            'user_dirs' => false,
            'mkdir_mode' => 0755,
            'param_name' => 'files',
            // Set the following option to 'POST', if your server does not support
            // DELETE requests. This is a parameter sent to the client:
            'delete_type' => 'DELETE',
            'access_control_allow_origin' => '*',
            'access_control_allow_credentials' => false,
            'access_control_allow_methods' => array(
                'OPTIONS',
                'HEAD',
                'GET',
                'POST',
                'PUT',
                'PATCH',
                'DELETE'
            ),
            'access_control_allow_headers' => array(
            'Content-Type',
            'Content-Range',
            'Content-Disposition'
            ),
            // Enable to provide file downloads via GET requests to the PHP script:
            'download_via_php' => false,
            // Defines which files can be displayed inline when downloaded:
            'inline_file_types' => '/.(mp4|zip|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i',
            // 允许任意后缀文件上传,这是漏洞的根源
            'accept_file_types' => '/.+$/i',
            ..


    5. 防御方法

    /wp-content/plugins/wp-symposium/server/php/UploadHandler.php

    ..
    // Enable to provide file downloads via GET requests to the PHP script:
    'download_via_php' => false,
    // Defines which files can be displayed inline when downloaded:
    'inline_file_types' => '/.(mp4|zip|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i',
    /**/
    'accept_file_types' => '/.(mp4|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i', 
    /**/
    ..


    6. 攻防思考

    Copyright (c) 2015 LittleHann All rights reserved

  • 相关阅读:
    MySQL读写分离技术
    MySQL主从复制与主主复制
    搭建MySQL高可用负载均衡集群
    CentOS7安装openjdk、tomcat和mysql流程介绍
    windows下 安装 rabbitMQ 及操作常用命令
    Python Twisted、Reactor
    数据结构(DataStructure)与算法(Algorithm)、STL应用
    RCE via XStream object deserialization && SECURITY-247 / CVE-2016-0792 XML reconstruction Object Code Inject
    IRC(Internet Relay Chat Protocol) Protocal Learning && IRC Bot
    phpcms /api/phpsso.php SQL Injection Vul
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4806619.html
Copyright © 2011-2022 走看看