Name: zhonghao, f0@gnusec
The program can be set in the background to download the user file, the user can download the file in the user center (to meet certain conditions, usually after the completion of the order). During this entire process, the administrator can define the address of the downloaded file in the background, and does not make reasonable judgments and filtering on the download address entered by the administrator, resulting in the download of arbitrary files on the server across directories.
The background has an installable and extensible function that allows the user to upload and install scalable function code. Due to problems in the processing logic, combined with other bugs in the system’s other business functions, it can cause arbitrary code execution.
Filter user input across directory strings.
The specific operation steps for installing the extension should be initiated by the server itself and not processed by the client.