2005-10-21 15:55:06 作者:模板天下收集整理 来源:未知 网友评论 0 条
论坛 MolyX Board(以下简称MXB)是 MolyX Studios 小组(好象就是CNVBB小组)开发的PHP论坛程序,MXB 融合了众多论坛程序的优点,博采众长,功能强大。多年的论坛程序汉化和改进经验也使 MXB 更适合国人的使用习惯。不过漏洞是难免的。
测试版本:
MolyX BOARD 2.5.0 Beta1
1.usercp.php漏洞
当删除附件时变量attachid[]过滤不言,导致暴露绝对路径和sql注射漏洞。分析如下:
代码行397---407
$affected_ids = count(
$_INPUT['attachid']);
if (
$affected_ids > 0 ) {
$attachments =
$DB->query("SELECT a.*, p.threadid, p.pid
FROM ".TABLE_PREFIX."attachment a
LEFT JOIN ".TABLE_PREFIX."post p ON ( a.postid=p.pid )
WHERE a.attachmentid IN (".implode(",",
$_INPUT['attachid']).")
AND a.userid='".
$bbuserinfo['id']."'");
if (
$attachment =
$DB->fetch_array(
$attachments) ) {
if (
$attachment['location'] ) {
@unlink(
$bboptions['uploadfolder']."/".
$attachment['attachpath']."/".
$attachment['location'] );
}
我们看attachid[]经过了
$_INPUT['attachid']提交到数据库查询,我们跟更
$_INPUT[],在global.php 行23:
$_INPUT =
$forums->func->init_variable();
继续跟init_variable(),init_variable()在includes/functions.php代码如下:
function init_variable()
{
$return = array();
foreach(array(
$_GET,
$_POST) AS
$type) {
if( is_array(
$type) ) {
foreach (
$type AS
$k =>
$v) {
if ( is_array(
$type[
$k]) ) {
foreach (
$type[
$k] AS
$k1 =>
$v1) {
$return[
$this->clean_key(
$k) ][
$this->clean_key(
$k1) ] =
$this->clean_value(
$v1);
}
} else {
$return[
$this->clean_key(
$k) ] =
$this->clean_value(
$v);
}
}
}
}
return
$return;
}
function clean_key(
$key)
{
if (
$key == "") return "";
return preg_replace( array("/\.\./", "/\_\_(.+?)\_\_/", "/^([\w\.\-\_]+)
$/"), array("", "", "
$1"),
$key );
}
function clean_value(
$val)
{
if (
$val == "") return "";
$pregfind = array ( " ", "&", "" );
$pregreplace = array ( " ", "&", "" );
$val = str_replace(
$pregfind,
$pregreplace,
$val);
$val = preg_replace( "/
关于网站 | 客服中心 | 服务条款 | 友情链接 | 广告联系 | 本站历程 | 网站导航
吉ICP备05000107号
