squishi
05-26-2013, 04:50 PM
This code is in newattachment.php:
// check for any funny business
$filecount = 1;
if (!empty($vbulletin->GPC['attachment']['tmp_name']))
{
foreach ($vbulletin->GPC['attachment']['tmp_name'] AS $filename)
{
if (!empty($filename))
{
if ($filecount > $vbulletin->options['attachboxcount'])
{
@unlink($filename);
}
$filecount++;
}
}
}
It deletes (=unlinks) a file that is coming from user input.
Wouldn't this allow an attacker to delete any file on the server or in the vb system?
All I would need to do is post the filepath in the attachment[tmp_name] variable to newattachment.php (and make sure that the condition is met).
// check for any funny business
$filecount = 1;
if (!empty($vbulletin->GPC['attachment']['tmp_name']))
{
foreach ($vbulletin->GPC['attachment']['tmp_name'] AS $filename)
{
if (!empty($filename))
{
if ($filecount > $vbulletin->options['attachboxcount'])
{
@unlink($filename);
}
$filecount++;
}
}
}
It deletes (=unlinks) a file that is coming from user input.
Wouldn't this allow an attacker to delete any file on the server or in the vb system?
All I would need to do is post the filepath in the attachment[tmp_name] variable to newattachment.php (and make sure that the condition is met).