PECSM-TEAM 2.2.2 has a file upload vulnerability in /Public/?g=Team&m=Setting&a=upgrade

[snappyJack]

This page let user upgrade the PESCMS system manually.

Follow the mtUpgrade funtction,the upload file extension must be “zip”

and follow the unzip function

Follow the simulateInstall function and install function,we can see the file decompression in root directory

so,we can create a evil.php

and compression it as evil.zip,and upload the evil.zip,

at last ,the system decompress evil.zip and evil.php in root directory.

[lazyphp]

英语水平有限，这里用中文吧：
因为考虑到程序都是内网为主，所以手动更新的程序并没有与官方进行 哈希验证。所以确实会存在一个提权的风险。目前这些各项功能还在调优中，不久将来的版本更新功能将需要与官方的更新包进行哈希验证，匹配正确才会执行更新。

[lazyphp]

即将发布的新版已经接近此问题。https://github.com/lazyphp/PESCMS-TEAM/tree/dev-2.3.0