該程序的
/home/ecccs/web/5107/upload/uploadFlash.php
文件存在嚴重的邏輯錯誤!
導致漏洞產(chǎn)生!
以上大型網(wǎng)站的客服系統(tǒng)全部可以通過此漏洞獲取管理權(quán)限!
< ?php
/**
* uploadFlash.php
* Flash文件上傳.
*/
require_once('../global.inc.php');
//operateId=1 上傳,operateId=2 www.2cto.com 獲取地址.
$operateId = intval($_REQUEST['operateId']);
if(empty($operateId)) exit;
if($operateId == 1){
$date = date("Ymd");
$dest = $CONFIG->basePath."data/files/".$date."/";
$COMMON->createDir($dest);
//if (!is_dir($dest)) mkdir($dest, 0777);
$nameExt = strtolower($COMMON->getFileExtName($_FILES['Filedata']['name']));
$allowedType = array('jpg', 'gif', 'bmp', 'png', 'jpeg');
if(!in_array($nameExt, $allowedType)){
$msg = 0;
}
if(empty($msg)){
$filename = getmicrotime().'.'.$nameExt;
$file_url = urlencode($CONFIG->baseUrl.'data/files/'.$date."/".$filename);
$filename = $dest.$filename;
if(empty($_FILES['Filedata']['error'])){
move_uploaded_file($_FILES['Filedata']['tmp_name'],$filename);
}
if (file_exists($filename)){
//$msg = 1;
$msg = $file_url;
@chmod($filename, 0444);
}else{
$msg = 0;
}
}
$outMsg = "fileUrl=".$msg;
$_SESSION["eoutmsg"] = $outMsg;
exit;
}else if($operateId == 2){
$outMsg = $_SESSION["eoutmsg"];
if(!empty($outMsg)){
session_unregister("eoutmsg");
echo '&'.$outMsg;
exit;
}else{
echo "&fileUrl=0";
exit;
}
}
function getmicrotime(){
list($usec, $sec) = explode(" ",microtime());
return ((float)$usec + (float)$sec);
}
?>
修復方案:
速度聯(lián)系用友升級吧.這套系統(tǒng)里不是只有這么一個問題.我記得還有一個.臨時找不到了.你們自己挖吧.