Ras Posted September 16, 2007 Report Posted September 16, 2007 # Chupix CMS 0.2.3 (download.php) Remote File Download Vulnerability# P.Script : http://sourceforge.net/project/showfiles.php?group_id=134930################################download.php################################Lain:18->57 ->********************************************************************************************************************if(isset($_GET['fichier'])){ <--------------XXXX * // téléchargement du fichier * $file = "archives/". $_GET['repertoire'] ."/".$_GET['fichier'];<--------------XXXX * $fichier_txt = "archives/". $_GET['repertoire'] ."/cpt/". $_GET['fichier'].".php" * $repertoire = "archives/". $_GET['repertoire'] ."/cpt/"; * if(is_file($fichier_txt)){ * $fp = @fopen($fichier_txt, "r"); <--------------XXXX * $result = fread($fp, filesize ($fichier_txt)); * fclose($fp); * $result = str_replace("<?php ", "", $result); * $result = str_replace("?>", "", $result); * * $num = trim($result); * }else{ * $num = 0; * } * $num++; * * $msg = "<?php ". $num ." ?>"; * * if(!(is_dir($repertoire))){ * mkdir ($repertoire, 0755); * } * * $fp = @fopen($fichier_txt, "w+");<--------------XXXX * if (flock($fp, LOCK_EX)) { // pose un verrou exclusif * fwrite($fp, $msg); * flock($fp, LOCK_UN); // lib Quote