wordpress /wp-content/plugins/wp-symposium/server/php/UploadHandler.php File Arbitrary Upload Vul
catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
Relevant Link:
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
/wp-content/plugins/wp-symposium/server/php/UploadHandler.php
function __construct($options = null, $initialize = true, $error_messages = null) { if (isset($_POST['uploader_uid']) && isset($_POST['uploader_url'])) { $upload_dir = $_POST['uploader_dir']; $upload_url = $_POST['uploader_url']; $this->options = array( 'script_url' => $this->get_full_url().'/', 'upload_dir' => $upload_dir, 'upload_url' => $upload_url, 'user_dirs' => false, 'mkdir_mode' => 0755, 'param_name' => 'files', // Set the following option to 'POST', if your server does not support // DELETE requests. This is a parameter sent to the client: 'delete_type' => 'DELETE', 'access_control_allow_origin' => '*', 'access_control_allow_credentials' => false, 'access_control_allow_methods' => array( 'OPTIONS', 'HEAD', 'GET', 'POST', 'PUT', 'PATCH', 'DELETE' ), 'access_control_allow_headers' => array( 'Content-Type', 'Content-Range', 'Content-Disposition' ), // Enable to provide file downloads via GET requests to the PHP script: 'download_via_php' => false, // Defines which files can be displayed inline when downloaded: 'inline_file_types' => '/\.(mp4|zip|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i', // 允许任意后缀文件上传,这是漏洞的根源 'accept_file_types' => '/.+$/i', ..
5. 防御方法
/wp-content/plugins/wp-symposium/server/php/UploadHandler.php
.. // Enable to provide file downloads via GET requests to the PHP script: 'download_via_php' => false, // Defines which files can be displayed inline when downloaded: 'inline_file_types' => '/\.(mp4|zip|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i', /**/ 'accept_file_types' => '/.(mp4|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i', /**/ ..
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?
2014-09-14 中间件、MetaQ入门学习