YXcms最新版任意文件删除漏洞

### 简要描述： YXcms最新版可以删除任意文件 ### 详细说明： 问题文件： \YXcms1.2.4\protected\apps\member\controller\inforController.php ``` public function index() { if(!$this->isPost()){ $auth=$this->auth; $id=$auth['id']; $info=model('members')->find("id='{$id}'"); $this->info=$info; $this->path=__ROOT__.'https://images.seebug.org/upload/member/image/'; $this->twidth=config('HEAD_W'); $this->theight=config('HEAD_H'); $this->display(); }else{ $id=intval($_POST['id']); $data['nickname']=in(trim($_POST['nickname'])); $acc=model('members')->find("id!='{$id}' AND nickname='".$data['nickname']."'"); if(!empty($acc['nickname'])) $this->error('该昵称已经有人使用~'); if (empty($_FILES['headpic']['name']) === false){ $tfile=date("Ymd"); $imgupload= $this->upload($this->uploadpath.$tfile.'/',config('imgupSize'),'jpg,bmp,gif,png'); $imgupload->saveRule='thumb_'.time(); $imgupload->upload(); $fileinfo=$imgupload->getUploadFileInfo(); $errorinfo=$imgupload->getErrorMsg(); if(!empty($errorinfo)) $this->alert($errorinfo); else{ if(!empty($_POST['oldheadpic'])){ //只要post表单中存在oldheadpic参数，就会执行删除老图像 $picpath=$this->uploadpath.$_POST['oldheadpic']; if(file_exists($picpath)) @unlink($picpath); //可修改oldheadpic的值，删除任意文件 } $data['headpic']=$tfile.'/'.$fileinfo[0]['savename']; } } ``` ### 漏洞证明： 修改参数为网站中的一个文件1.txt [<img src="https://images.seebug.org/upload/201406/0415410400395bf61d7b1dfe49ce881f36229e83.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/0415410400395bf61d7b1dfe49ce881f36229e83.jpg) 成功删除 [<img src="https://images.seebug.org/upload/201406/0415411623e3e564282fe343862ce53840a3b095.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/0415411623e3e564282fe343862ce53840a3b095.jpg)