search

hightman / xunsearch

免费开源的中文搜索引擎,采用 C/C++ 编写 (基于 xapian 和 scws),提供 PHP 的开发接口和丰富文档
http://www.xunsearch.com
Other
1.65k stars 391 forks source link

Possible Code injection Vulnerability #125

Closed enferas closed 3 years ago

enferas commented 3 years ago

Hello,

I would like to report for Code injection vulnerability in filer 'dev/server.php'

Line 142

// the source
while (($line = fgets($stdin, 8192)) !== false) {
    $line = trim($line);
    $args = '';
    if (($pos = strpos($line, ' ')) === false) {
        $cmd = $line;
    } else {
        $cmd = substr($line, 0, $pos);
                // $args have the source
        $args = substr($line, $pos + 1);
    }

        //....

    if ($cmd == 'trace') {
        echo $trace . "\n";
    } elseif (!empty($cmd)) {
        if (!function_exists('cmd_' . $cmd)) {
            $cmd = 'send';
            $args = $line;
        }
        try {
            //...
            if ($cmd == 'open' || $cmd == 'help' || _check_server()) {
                                // three different function can be called and they will lead to the vulnerability.
                               // cmd_project or cmd_send or cmd_send2
                call_user_func('cmd_' . $cmd, $args);
            }
//....

if cmd_project is called line 171

function cmd_project($args)
{
    global $server;
        // the source in $args
    $name = _get_send_arg($args);
    // ....
}

line 343

function _get_send_arg($args = NULL)
{
    static $buf = NULL, $off = 0;

    if ($args !== NULL) {
        $off = 0;
                // the source in $buf
        $buf = $args;
    }
       //.....
}

line 370

// the source in $buf will be accumulated in $ret
for ($ret = '', $end = $start; $end < $len; $end++) {
        $char = substr($buf, $end, 1);

        // ...

        $ret .= $char;
    }

line 403

// the sink
eval('$ret = ' . $ret . ';');
hightman commented 3 years ago

Hi, thanks your report. This is just a tool script for developers to test features by themselves.