Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to do Discuz! X arbitrary file deletion loophole analysis, the content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Background introduction of 0x00

Discuz officially submitted an update on Git on September 29th, 2017: optimization and enhanced security. 360CERT follows up on this update and confirms that there is an arbitrary file deletion vulnerability.

0x01 vulnerability description

The vulnerability was submitted to the Dark Cloud Wooyun platform in 2014, and Discuz fixed it specifically. However, 360CERT through this commit analysis, because the previous repair is incomplete, it can cause the patch to be bypass. After logging in, an attacker can bypass the patch to cause arbitrary file deletion by setting the profile as the delete file path and constructing a file upload.

Impact of 0x02 vulnerability attack

Influence surface

Ordinary registered users can delete any file. After 360CERT research and judgment, it is confirmed that the risk level of vulnerabilities is high.

Affect the version

Discuz! X3.4

Discuz! X3.3

Discuz! X3.2

Discuz! X2.5

Repair version

Cloud platform DiscuzroomX

Commit 7d603a197c2717ef1d7e9ba654cf72aa42d3e574

0x03 vulnerability details

1. Technical details

You can see the patches that were fixed in 14 years:

$_ G ['cache'] [' profilesetting'] [$key] ['formtype'] = =' file' validates the formtype type.

Looking at yesterday's commit, a total of five unlink file deletion functions were deleted, of which the 228-line unlink function was the least restricted.

There is a file upload function in spacecp_profile.php, which uses $upload- > get_image_info ($attach ['target'])

Check the uploaded file. If it is not an image, continue skips it, so you need to upload it as an image type.

Delete the file name $space [$key] without security processing

You only need to save the parameters in the previous submission, for example, enter the delete file name.. / robots.txt at the real name, and the realname in the database will be saved as.. / robots.txt. If you request to upload the file again, the file will be triggered and deleted.

0x04 repair recommendation

Completely delete the code at unlink under spacecp_profile.php according to the official Git update.

About how to run Discuz! X arbitrary file deletion loophole analysis is shared here, I hope the above content can be of some help to everyone, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.