Ticket #2240 (closed defect: wontfix)
Upload Issue
| Reported by: | cain | Owned by: | team |
|---|---|---|---|
| Priority: | highest | Milestone: | |
| Component: | module:mediamanager | Version: | 2.11.2 |
| Severity: | critical | Keywords: | |
| Cc: |
Description
I found a critical vul in Dotclear v2.11.2,It may cause remote code excution.
First in the /admin/media_item.php
In line 110 > $newFile->basename = $_POSTmedia_file?;
In line 125 > $core->media->updateFile($file,$newFile);
Then go to the /inc/core/class.dc.media.php
In line 814 > if ($this->isFileExclude($newFile->relname))
Then go to the /inc/libs/clearbricks/filemanager/class.filemanager.php
In line 169 >
protected function isFileExclude($f) {
if (!$this->exclude_pattern) {
return false;
}
return preg_match($this->exclude_pattern,$f);
}
Then go to the /inc/core/class.dc.media.php
In line 94 > $this->exclude_pattern = $core->blog->settings->system->media_exclusion;
$this->exclude_pattern is "/\.(phps?|pht(ml)?|phl|s?html?|js|htaccess)[0-9]*$/i"
The regex pattern is not safe, When the web server os is windows,U can upload a file named 'evil.php.',then you can get a webshell.