zyx0814/dzzoffice

Multiple path manipulation vulnerability

Opened this issue · 0 comments

enferas commented

Hello,

I would like to report for possible path manipulation vulnerabilities.

The path of the vulnerability.

In file https://github.com/zyx0814/dzzoffice/blob/master/dzz/io/setStream.php

if(!$path=dzzdecode(rawurldecode($_GET['path']))){
	exit('Access Denied');
}
//...
if(!$msg && ($re=IO::setFileContent($path,$content,true))){
	//...
}

In file https://github.com/zyx0814/dzzoffice/blob/master/core/class/io/io_ALIOSS.php

public function setFileContent($path,$data){
	//..
			  self::deleteThumb($path);
	//..
}

In file https://github.com/zyx0814/dzzoffice/blob/master/core/class/io/io_ALIOSS.php

public function deleteThumb($path){
		global $_G;
		$imgcachePath='./imgcache/';
                // Note path carry the value from the source
		$cachepath=str_replace('//','/',str_replace(':','/',$path));
		
		foreach($_G['setting']['thumbsize'] as $value){
			$target = $imgcachePath . ($cachepath) . '.' . $value['width'] . '_' . $value['height'] . '_1.jpeg';
			$target1 = $imgcachePath . ($cachepath) . '.' . $value['width'] . '_' . $value['height'] . '_2.jpeg';
			@unlink($_G['setting']['attachdir'].$target);
			@unlink($_G['setting']['attachdir'].$target1);
		}
		
	}

We see that there is no check between the input $_GET['path'] and the unlink for the $target.
$target can carry the value ../ which go back in the image directory.