鬼仔's Blog

信息来源:红狼安全小组(www.crst.com.cn,www.wolfexp.net)
文章作者:qaz0987

O-blog2.0.3的编辑器存在一个文件浏览漏洞,存在漏洞文件在于whizzylink.php和whizzypic.php,不过前一个可以浏览任意文件和目录,后一个只能浏览目录和图片,并能查看图片.
例: http://xxxxx/blog/editor/rte/whizzery/whizzylink.php?d=/&x=.


$docpath = $_REQUEST['d'];
$extensions = $_REQUEST['x'] ? '/(' . $_REQUEST['x'] .')$/i' : '/\.(html|pdf|txt)$/i';
$d = $_SERVER['DOCUMENT_ROOT'] . '/' . $docpath;
$d = str_replace('//','/',$d);
$dir = opendir($d);
while ($file = readdir($dir)){
$files[] = $file;
}
closedir($dir);
usort($files, "insensitive"); //see function insensitive($a, $b)
foreach ($files as $filename) {
$filepath = "$d/$filename";
$fsize = sprintf("%u", filesize($filepath)); //filesizes over 2Mb won't fit in an int so we unsign it
$modtime = date ("d F Y H:i:s", filemtime($filepath)); //mtime is unix timestamp
$tip = " Size: $fsize <br>Updated: $modtime ";
if (is_dir($filepath) && $docpath) { //it's a directory
if ($filename == '.'){ //current directory
$dlist .= "<img src='/btn/dir.png'> $docpath ";
} else if ($filename == '..') { //parent directory
if($docpath) { //we're in a sub directory - no Up from root
$updir = substr($docpath,0,strrpos($docpath,'/'));
$dlist .= "<img src='/btn/back.png'><a href='$self?d=$updir'>Up</a>/<br>";
}
} else {
$docpath = str_replace($_SERVER['DOCUMENT_ROOT'], "", $d);
$dlist .= "<div style='float:left;width:20em'><img src='/btn/dir.png'><a href='$self?d=$docpath/$filename'>$filename</a></div>";
}
} else if (preg_match($extensions,$filename) ) {
$flist .= "<div style='float:left;width:20em'><a href='#' onclick='WantThis(\"$docpath/$filename\")'>$filename</a></div>";