Hole in AjexFileManager 1.0
One good man reported found vulnerability through which you can download any file.
namely through CKEditor - bookmark Upload, fast downloading of files without opening an additional window, somehow missed check there for downloaded files.
In general, to remedy the situation you need ajax.php file around line 260 was written if (move_uploaded_file ()) need to add test:
$fileName = getFreeFileName($_FILES['upload']['name'], $toDir);
$ext = substr($fileName, strrpos($fileName, '.') + 1);
$ext = strtolower($ext);
if (!in_array($ext, $cfg['deny'][$cfg['type']]) && in_array($ext, $cfg['allow'][$cfg['type']]) && move_uploaded_file($_FILES['upload']['tmp_name'], $toDir . DIR_SEP . $fileName)) {
12, 12 17 August 2010, 00:57
12
Hellorin, Днепропетровск 19 July 2011, 12:20
Ошибка как была так и осталась залить шелл можно через нулл байт тобиш: 1.php.jpg%00
Deep 22 October 2011, 13:16
Ё... Жоско... go to => exif_imagetype();
И убери все empty(), эта ф-ция ругается на несуществующую переменную в php v 5.1 и считает пустотой символ "0".
Deep 22 October 2011, 13:17
И смотри в "небольшой инструкции" я тоже камент оставил.
Write comment
Name:
E-mail:
City: