前台会员头像上传任意文件，finecms v5.2及之后的版本已修复此漏洞，大家可以对比一下代码确认

涉及文件：/finecms/dayrui/controllers/member/Account.php

public function upload() {

// 创建图片存储文件夹
$dir = SYS_UPLOAD_PATH.'/member/'.$this->uid.'/';
@dr_dir_delete($dir);
!is_dir($dir) && dr_mkdirs($dir);if ($_POST['tx']) {$file = str_replace(' ', '+', $_POST['tx']);if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $file, $result)){$new_file = $dir.'0x0.'.$result[2];if (!@file_put_contents($new_file, base64_decode(str_replace($result[1], '', $file)))) {exit(dr_json(0, '目录权限不足或磁盘已满'));

接收txt的参数.然后匹配了正则.最后取出内容和文件后缀部分。再直接存盘.文件名都是统一的0x0

仅仅是需要记住当前用户的id就可以搞定了

网络修复方案：

if (preg_match('/^(data:\s*image\/(png|jpg|jpeg);base64,)/', $file, $result)){

官方修复方案：升级到最新版，或手动替换代码

public function upload() {

    // 创建图片存储文件夹$dir = dr_upload_temp_path().'member/'.$this->uid.'/';@dr_dir_delete($dir);!is_dir($dir) && dr_mkdirs($dir);if ($_POST['tx']) {$file = str_replace(' ', '+', $_POST['tx']);if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $file, $result)){$new_file = $dir.'0x0.'.$result[2];if (!in_array(strtolower($result[2]), array('jpg', 'jpeg', 'png', 'gif'))) {exit(dr_json(0, '目录权限不足'));}if (!@file_put_contents($new_file, base64_decode(str_replace($result[1], '', $file)))) {exit(dr_json(0, '目录权限不足'));} else {list($width, $height, $type, $attr) = getimagesize($new_file);if (!$type) {@unlink($new_file);exit(function_exists('iconv') ? iconv('UTF-8', 'GBK', '图片字符串不规范') : 'error3');}$this->load->library('image_lib');$config['create_thumb'] = TRUE;$config['thumb_marker'] = '';$config['maintain_ratio'] = FALSE;$config['source_image'] = $new_file;foreach (array(30, 45, 90, 180) as $a) {$config['width'] = $config['height'] = $a;$config['new_image'] = $dir.$a.'x'.$a.'.'.$result[2];$this->image_lib->initialize($config);if (!$this->image_lib->resize()) {exit(dr_json(0, '上传错误：'.$this->image_lib->display_errors()));break;}}// ok$my = SYS_UPLOAD_PATH.'/member/'.$this->uid.'/';@dr_dir_delete($my);!is_dir($my) && dr_mkdirs($my);$c = 0;if ($fp = @opendir($dir)) {while (FALSE !== ($file = readdir($fp))) {$ext = substr(strrchr($file, '.'), 1);if (in_array(strtolower($ext), array('jpg', 'jpeg', 'png', 'gif'))) {if (copy($dir.$file, $my.$file)) {$c++;}}}closedir($fp);}if (!$c) {exit(dr_json(0,  fc_lang('未找到目录中的图片')));}}} else {exit(dr_json(0, '图片字符串不规范'));}} else {exit(dr_json(0, '图片不存在'));}