Foreword
Molyx Board (hereinafter referred to as MXB) is the PHP Forum developed by the Molyx Studios (as if the CNVBB group) developed, MXB combines the advantages of many forums, and is powerful. Many years of the forum program Chinese and improvement experience also make MXB more suitable for the habits of the Chinese people. However, the vulnerability is inevitable.
Affected system Molyx Board 2.0Molyx Board 2.1
Detailed attachment.php lacks an Attach variable to check, causing a remote attacker to construct this variable to access the existing files that allow access on the server.
The file is one of the code:
Function Showattachment () {Global $ DB, $ Forums, $ _INPUT, $ BBUSERINFO, $ bboptions; $ forums-> noheader = 1; if (! $ _ input ['u'] or! $ _ input ['attach']) { $ forums-> func-> standard_error ( "cannotviewattach");} if (! $ bbuserinfo [ 'candownload']) {$ forums-> func-> standard_error ( "cannotdownload");} $ path = $ bboptions [ 'uploadfolder '].' / '. Implode (' / ', preg_split (' // ', intVal ($ _ input [' u ']), -1, preg_split_no_empty)))); $ file = $ path. "/". $ _ input ['attach']; if (file_exists ($ file) and ($ forums-> cache ['attachmenttype'] [$ _INPUT ['extension'] ['mimeType']! = "") {$ db-> Shutdown_query ("update" .table_prefix. "attachment set counter = counter 1 where attachmentid =". INTVAL ($ _ input ['id'). "" "; @Header ('cache-control: max-agn = 31536000) @Header ('expires:'. Gmdate ("D, D myh: i: s", Timenow 31536000). 'Gmt'); @Header ('Content-Type:'. $ Forums-> cache [' AttachmentType '] [$ _INPUT [' Extension ']] [' MIMETYPE '].' '); @Head (' Content-Disposition: Inline; FileName = '. $ _ Input [' File Name '].' '); @Head (' content-disposition: inline; filename = '. $ _ input [' filename '].' '); @Head (' content-length: ') (FileSize $ file). ''); $ fH = fopen ($ file, 'rb'); FPASSTHRU ($ fh); @fclose ($ fh); exit ();} else {$ forums-> func-> standard_error ("CannotViewattach");}} If we visit an attachment:
http://www.molyx.com/attachment.php?id=684&u=3096&extension=gif&attach=1105910809.gif&filename=1.gif This attachment.php will return to the 1105910809.gif file on the old real server, return to browse On the device. The next filename is just the name of the file upon upload. This variable does not use, if we send a request. Constructs the ATTACH variable "./../../../../../../includes/config.php":
http://www.molyx.com/attachment.php?id=684&u=3096&extension=Gif&attach=./../../../..../..includes/config.php&filename=1. GIF
Attachment.php files also output the contents of config.php to the browser in accordance with the normal procedure. Such mysql's connection information is coming out. "../" is set to the directory structure. If "/ etc / pass" is readable, you can also read the contents of the file. What should I do if I do it? I made a knife is not to let you go to kill.
Solution Attachment.php This file, showtchment (), showthumb () function is like this, so we all give it to filter it, search two:
$ FILE = $ PATH. "/". $ _ input ['attach'];
Then change to:
$ _INPUT ['attach'] = str_replace ("/", ", SUBSTR ($ _ INPUT [ATTACH '], STRPOS ($ _ INPUT [' attach '],' / ')))); $ file = $ path. "/" $_INPUT ['ATTACH '];
Originally wanted to check the extension if it was not attach. But later, if this forum is not changed. Not a picture is changed to .attach extension. So it is still a bit efficient with the above. Ha ha……
After the first time I saw Molyx Board, I had to lauga's extent to which the team's considerable user. Many functions are indeed, as mentioned in the introduction: Bo Minhang, powerful. The speed is slow. Especially in the background. But I think a good forum. It is not possible to deny it from multiple steps of time.
