ewebeditor 3.8php漏洞,eWebEditor v3.8 列目录漏洞【asp版本】

SubInitParam()sType=UCase(Trim(Request.QueryString("type")))sStyleName=Trim(Request.QueryString("style"))sCusDir=Trim(Request.QueryString("cusdir"))Dimi,aStyleConfig,bValidStyle

bValidStyle=FalseFori=1ToUbound(aStyle)aStyleConfig=Split(aStyle(i),"|||")IfLcase(sStyleName)=Lcase(aStyleConfig(0))ThenbValidStyle=TrueExitForEndIfNextIfbValidStyle=FalseThenOutScript("alert('Invalid Style.')")EndIfsBaseUrl=aStyleConfig(19)nAllowBrowse=CLng(aStyleConfig(43))nCusDirFlag=Clng(aStyleConfig(61))IfnAllowBrowse<>1ThenOutScript("alert('Do not allow browse!')")EndIfIfnCusDirFlag<>1ThensCusDir=""ElsesCusDir=Replace(sCusDir,"","/")IfLeft(sCusDir,1)="/"OrLeft(sCusDir,1)="."OrRight(sCusDir,1)="."OrInStr(sCusDir,"./")>0OrInStr(sCusDir,"/.")>0OrInStr(sCusDir,"//")>0ThensCusDir=""ElseIfRight(sCusDir,1)<>"/"ThensCusDir=sCusDir&"/"EndIfEndIfEndIfsUploadDir=aStyleConfig(3)IfLeft(sUploadDir,1)<>"/"ThensUploadDir="../"&sUploadDirEndIfSelectCasesBaseUrlCase"0"sContentPath=aStyleConfig(23)Case"1"sContentPath=RelativePath2RootPath(sUploadDir)Case"2"sContentPath=RootPath2DomainPath(RelativePath2RootPath(sUploadDir))EndSelectsUploadDir=sUploadDir&sCusDir

sContentPath=sContentPath&sCusDirSelectCasesTypeCase"FILE"sAllowExt=""Case"MEDIA"sAllowExt="rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov"Case"FLASH"sAllowExt="swf"CaseElsesAllowExt="bmp|jpg|jpeg|png|gif"EndSelectsCurrDir=sUploadDir

sDir=Trim(Request("dir"))'1.假设dir= ../

'2.假设dir=...//'3.假设dir=.....///

sDir = Replace(sDir, "", "/")  '过滤1sDir=Replace(sDir,"../","")'过滤2

'1.到这里就被过滤了sDir=Replace(sDir,"./","")'过滤3

'2到这里也被功率了'3到这里就成../了。比较有趣的饶过！好象不少cms这样过滤过。[/color]

If sDir <> "" Then

If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then

sCurrDir = sUploadDir & sDir & "/"

Else

sDir = ""

End If

End If

End Sub