乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2012-11-13: 积极联系厂商并且等待厂商认领中,细节不对外公开 2012-11-13: 厂商已经主动忽略漏洞,细节向公众公开
可注射到管理员密码。会员等
plus/bookfeedback.php. 小说模块。变量未初始化。导致注射。 不过默认不安装此模块。
require_once(dirname(__FILE__)."/../include/common.inc.php");require_once(DEDEINC."/filter.inc.php");require_once(DEDEINC."/channelunit.func.php");.............. //保存评论内容 if($comtype == 'comments') { $arctitle = addslashes($arcRow['arctitle']); $arctitle = $arcRow['arctitle']; if($msg!='') { $inquery = "INSERT INTO `#@__bookfeedback`(`aid`,`catid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$catid','$username','$bookname','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); "; $rs = $dsql->ExecuteNoneQuery($inquery); if(!$rs) { echo $dsql->GetError(); exit(); } } } //引用回复 elseif ($comtype == 'reply') { $row = $dsql->GetOne("Select * from `#@__bookfeedback` where id ='$fid'"); $arctitle = $row['arctitle']; $aid =$row['aid']; $msg = $quotemsg.$msg; $msg = HtmlReplace($msg,2); $inquery = "INSERT INTO `#@__bookfeedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')"; $dsql->ExecuteNoneQuery($inquery); }
$catid变量以及$typeid变量未初始化。造成
对$catid变量以及$typeid变量未初始赋值
未能联系到厂商或者厂商积极拒绝
