0%

UCMS v1.4.0-7 Information leakage

A problem was found in UCMS v1.4.0-7 In line 2 of ucms/chk.php

Vulnerability Type :

Information leakage

Vulnerability Version :

1.4.0-7

Vulnerability Description:

ucms/chk.php:2

1.In the second line, directly determine whether there is a global variable db.
2.If it does not exist, instantiate the db() class to the global variable db.
3.Because currently /ucms/chk.php can be accessed directly by anyone, the file storing the db() class is not loaded. Here new db() will report an error, so that the current physical path is revealed!

1
if(!isset($GLOBALS['db'])) {$GLOBALS['db'] = new db();$GLOBALS['db'] -> connect($site_db);}

Recurring environment:

  • Windows 10
  • PHP 5.4.5
  • Apache 2.4.23

Vulnerability recurrence:

  1. Visit http://www.ucmsXXX.com/ucms/chk.php directly, you can see the absolute path that was leaked!

http://www.ucm1.4.0.com/ucms/chk.php

http://www.ucm1.4.1.com/ucms/chk.php

http://www.ucm1.4.2.com/ucms/chk.php

http://www.ucm1.4.3.com/ucms/chk.php

http://www.ucm1.4.4.com/ucms/chk.php

http://www.ucm1.4.5.com/ucms/chk.php

http://www.ucm1.4.6.com/ucms/chk.php

http://www.ucm1.4.7.com/ucms/chk.php