ueditor php上传漏洞,Tpshop Ueditor.php任意文件上传

in `/application/admin/controller/Ueditor.php line 80`, when action=uploadfile, FILES lead to function `upFile`

```

case 'uploadfile':

$fieldName = $CONFIG2['fileFieldName'];

$result = $this->upFile($fieldName);

break;

```

in function upFile, only check wheather file extension is `.php` or not.

follow in function move in `/thinkphp/library/think/File.php line 329 function move`.

```

$path = rtrim($path, DS) . DS;

// 文件保存命名规则

$saveName = $this->buildSaveName($savename);

$filename = $path . $saveName;

$filename2 = strtolower($filename);

if(strstr($filename2,'../') || strstr($filename2,'..\\') || strstr($filename2,'.php'))

{

$this->error = '文件上传格式错误 error ！';

return false;

}

```

in function move only check wheather filename contain `../`、`../`、`.php` or not.

so if we upload test.pht/.phtml file, apache aslo will parser it as php file, so we can execute any php code.