Several SQL injection and file upload vulnerabilities #87
Comments
|
Thank you for you report. about keyword in "HistoryController::getList", I add this line $keyword = addslashes($keyword);about HistoryController::getByConditions, I add this $where .= "`".addslashes($key)."`='".addslashes($val)."' AND ";about PicUploader/settings/dispatch.php, I don't know how to modify it. about HistoryModel.php::createOne, I add this foreach($data as &$val){
$val = addslashes($val);
}about SettingController::uploadFile, I add this if ($ext == ".php"){
return false;
}about index.php I add this $ext = mb_substr($files['name'][$key], strrpos($files['name'][$key], '.'));
if (strtolower($ext) == '.php'){
continue;
}and this $ext = mb_substr($files['name'], strrpos($files['name'], '.'));
if (strtolower($ext) != '.php'){
if(move_uploaded_file($tmp_name, $dest)){
$argv[] = $dest;
}
}add also add this in dashboard.js if (file.name.lastIndexOf(".php") > -1) {
setTimeout(function () {
// means not allow uploading php file
alert("不允许上传php文件")
}, 500)
setTimeout(function () {
$(".un-uploaded").remove()
}, 1000)
return false
}
|
|
Hi, simply prohibiting .php cannot fully solve the file upload vulnerability, as some servers also support parsing extensions like .phtml, .php5, .pht, etc. If possible, it's best to set a whitelist for file extensions. |
|
Actually this tool is for personal use, if you use on local machine, you don't need to worry about what file you're uploading. If you deploy it on remote server, you need to set a HTTP Authentication in nginx config use this command to generate htpasswd we visit our Picuploader through domain, and Picuploader is behind nginx, user cannot visit Picuploader directly, and actually the user is yourself too(only yourself), because this tool is designed for personal use, so you don't need to worry about what type of file you're uploading, attackers can not visit your Picuploader, so even if you upload a php file, attackers still can't visit it. |
|
Hi, thanks for your reply. I understand your point, but I think these vulnerabilities are worth addressing. Even if PicUploader is deployed on a local machine, attackers could potentially exploit these vulnerabilities to gain access to the user's computer when they are on the same internal network. Of course, this depends on how users configure their web servers on their local machines, but there is indeed a certain level of risk. Even if users enable authentication on nginx, they may set weak passwords, leading to similar risks. |
Hi, I would like to report some serious security vulnerabilities.
SQL Injection
HistoryController::getListPicUploader/settings/HistoryController.php
Line 107 in 2ef5b21
The variable
$keywordis directly controlled by$_GET['keyword'], which allows an attacker to inject SQL statements.HistoryController::getByConditionsPicUploader/settings/HistoryController.php
Line 189 in 2ef5b21
The variables
$keyand$valcome from the parameter$conditionArr, and users can control the values of this parameter throughPicUploader/settings/dispatch.php
Line 30 in 2ef5b21
HistoryModel.php::createOnePicUploader/settings/HistoryModel.php
Line 31 in 2ef5b21
Similar to the previous one, Users can control
$datathroughPicUploader/settings/dispatch.php
Line 30 in 2ef5b21
File Upload
SettingController::uploadFilePicUploader/settings/SettingController.php
Line 456 in 2ef5b21
The type of file extension for uploads is not restricted, and the path after uploading is directly returned to the user. Attackers can upload malicious PHP files.
index.php
PicUploader/index.php
Line 97 in 2ef5b21
There is also no restriction on the file extension of the uploaded files. Although the temporary file will be deleted later, attackers can access the uploaded malicious PHP file through race conditions.
The text was updated successfully, but these errors were encountered: