tipask问答系统1.4上传漏洞

user.php （用户操作）：

   function oneditimg() { //修改头像 
        if (isset($_FILES["Filedata"])) { 
            $upload_tmp_path = "data/tmp/"; 
            $fileName = 'bigavatar' . $this->user['uid'] . '.' . substr($_FILES["Filedata"]['name'], -3); 
            move_uploaded_file($_FILES["Filedata"]["tmp_name"], $upload_tmp_path . $fileName); 
            //这个够直接了......... 
            $img = getimagesize($upload_tmp_path . $fileName); 
            $imginfo = array(); 
            $imginfo['src'] = SITE_URL . $upload_tmp_path . $fileName . '?' . time(); 
            $imginfo['w'] = $img[0]; 
            $imginfo['h'] = $img[1]; 
            $imginfo['ext'] = $img[2]; 
            echo json_encode($imginfo); 
            //还告诉你上传后路径。。。。。 
        } else { 
            if ($this->setting["ucenter_open"]) { 
                $this->load('ucenter'); 
                $imgstr = $_ENV['ucenter']->set_avatar($this->user['uid']); 
            } 
            include template("editimg"); 
        } 
    }

    一切来得很直接。。

    直接上传到data/tmp/bigavatar X .php 后缀都不用去看了