码迷,mamicode.com
首页 > Web开发 > 详细

wordpress /wp-content/plugins/wp-symposium/server/php/UploadHandler.php File Arbitrary Upload Vul

时间:2015-09-14 12:02:19      阅读:235      评论:0      收藏:0      [点我收藏+]

标签:

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

 

1. 漏洞描述

Relevant Link:
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析

/wp-content/plugins/wp-symposium/server/php/UploadHandler.php

function __construct($options = null, $initialize = true, $error_messages = null) 
{ 
    if (isset($_POST[uploader_uid]) && isset($_POST[uploader_url])) 
    {         
        $upload_dir = $_POST[uploader_dir];
        $upload_url = $_POST[uploader_url];

        $this->options = array(
        script_url => $this->get_full_url()./,
        upload_dir => $upload_dir,
        upload_url => $upload_url,
        user_dirs => false,
        mkdir_mode => 0755,
        param_name => files,
        // Set the following option to ‘POST‘, if your server does not support
        // DELETE requests. This is a parameter sent to the client:
        delete_type => DELETE,
        access_control_allow_origin => *,
        access_control_allow_credentials => false,
        access_control_allow_methods => array(
            OPTIONS,
            HEAD,
            GET,
            POST,
            PUT,
            PATCH,
            DELETE
        ),
        access_control_allow_headers => array(
        Content-Type,
        Content-Range,
        Content-Disposition
        ),
        // Enable to provide file downloads via GET requests to the PHP script:
        download_via_php => false,
        // Defines which files can be displayed inline when downloaded:
        inline_file_types => /\.(mp4|zip|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i,
        // 允许任意后缀文件上传,这是漏洞的根源
        accept_file_types => /.+$/i,
        ..


5. 防御方法

/wp-content/plugins/wp-symposium/server/php/UploadHandler.php

..
// Enable to provide file downloads via GET requests to the PHP script:
download_via_php => false,
// Defines which files can be displayed inline when downloaded:
inline_file_types => /\.(mp4|zip|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i,
/**/
accept_file_types => /.(mp4|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i, 
/**/
..


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

wordpress /wp-content/plugins/wp-symposium/server/php/UploadHandler.php File Arbitrary Upload Vul

标签:

原文地址:http://www.cnblogs.com/LittleHann/p/4806619.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!