影响版本:蓝海豚团购系统

官方网站:

漏洞类型:文件包含、文件上传

漏洞描述:

controlsuser.class.php 客户操作类


function addgroup_action() //index.php?con=user&act=addgroup   

{    if(!$GLOBALS[session]->get(uid)) //验证是否登录user    {    sheader(url(user,login));    }   

//省略一堆没用东西   

if(submitcheck(commit)) //POST确定    //继续省略   

if(!empty($_POST[thumb_img]))    {    $data[thumb]=http://.str_replace(,,$_POST[thumb_img]);    }    elseif($_FILES[file_img][error]==0)    {    $data[thumb]=_upload(file_img,$GLOBALS[uploaddir]./.date(Y/m));   

//再看_upload    function _upload($upfile,$uploaddir=,$customfile=,$thumbinfo=array())    {    include ROOT_PATH./inc/upload.class.php;    $up=new upload($upfile);   

//再看upload.class.php   

//    if(!defined(IN_PHPUP)) {    exit(Access Denied);    }    class upload    {    var $stuffix=array(image/jpg,image/gif,image/png,image/x-png,"image/pjpeg","image/jpeg","application/x-zip-compressed","application/x-shockwave-flash");   

//省略一堆东西   

//检查文件类型    function checkType()    {    if(!empty($_FILES[$this->handle][type]) && in_array(strtolower($_FILES[$this->handle][type]),$this->stuffix))    {    $this->error.="";    }    else    {    $this->error.="不允许上传的文件类型 ".strtolower($_FILES[$this->handle][type]);    }   

//很强大的检查.......    这年头还有上传漏洞真不简单

本地包含漏洞


index.php


$controller=(empty($_REQUEST[con])?index:$_REQUEST[con]);    $action=empty($_REQUEST[act])?index:$_REQUEST[act];    if(!is_file(ROOT_PATH./controls/.$controller..class.php))    {    $controller=index;    $action=index;    }    require(ROOT_PATH./controls/.$controller..class.php);    当然这里又需要什么所谓的截断


文件读取漏洞
email.class.php

function emailcontent_action()    {    if(!empty($_GET[file]))    {    $nefile=$this->emaildir./.$_GET[file]..txt; //限制了后缀    if(is_file($nefile))    {    if(function_exists(file_get_contents))    {    echo file_get_contents($nefile);    else    {    $handle = fopen($nefile, "r");    while (!feof($handle)) {    $buffer = fgets($fd, 46);    echo $buffer;    }    fclose($handle);    这里也需要什么所谓的截断 当然is_file 不知是否可以截断

修复:针对性采取措施