O-blog2.0.3的编辑器存在一个文件浏览漏洞,存在漏洞文件在于whizzylink.php和whizzypic.php,不过前一个可以浏览任意文件和目录,后一个只能浏览目录和图片,并能查看图片<br />
<br />
$docpath = $_REQUEST['d'];<br />
$extensions = $_REQUEST['x'] ? '/(' . $_REQUEST['x'] .')$/i' : '/\.(html|pdf|txt)$/i';<br />
$d = $_SERVER['DOCUMENT_ROOT'] . '/' . $docpath;<br />
$d = str_replace('//','/',$d);<br />
$dir = opendir($d);<br />
while ($file = readdir($dir)){<br />
$files[] = $file;<br />
}<br />
closedir($dir);<br />
usort($files, "insensitive"); //see function insensitive($a, $b)<br />
foreach ($files as $filename) {<br />
$filepath = "$d/$filename";<br />
$fsize = sprintf("%u", filesize($filepath)); //filesizes over 2Mb won't fit in an int so we unsign it<br />
$modtime = date ("d F Y H:i:s", filemtime($filepath)); //mtime is unix timestamp<br />
$tip = " Size: $fsize <br>Updated: $modtime ";<br />
if (is_dir($filepath) && $docpath) { //it's a directory<br />
if ($filename == '.'){ //current directory<br />
$dlist .= "<img src='/btn/dir.png'> $docpath ";<br />
} else if ($filename == '..') { //parent directory<br />
if($docpath) { //we're in a sub directory - no Up from root<br />
$updir = substr($docpath,0,strrpos($docpath,'/'));<br />
$dlist .= "<img src='/btn/back.png'><a href='$self?d=$updir'>Up</a>/<br>";<br />
}<br />
} else {<br />
$docpath = str_replace($_SERVER['DOCUMENT_ROOT'], "", $d);<br />
$dlist .= "<div style='float:left;width:20em'><img src='/btn/dir.png'><a href='$self?d=$docpath/$filename'>$filename</a></div>"; <br />
}<br />
} else if (preg_match($extensions,$filename) ) {<br />
$flist .= "<div style='float:left;width:20em'><a href='#' onclick='WantThis(\"$docpath/$filename\")'>$filename</a></div>";<br />
bo-blog2.0.3
<a href="http://www.bo-blog.com" target="_blank">http://www.bo-blog.com</a>
京公网安备 11010502034610号
暂无评论