乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-05: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-08-03: 厂商已经主动忽略漏洞,细节向公众公开
过滤不严。
在action/event/event_invite.action.php中
$user_id=get_sess_userid(); $user_name=get_sess_username(); $event_id=short_check(get_argp('event_id')); $pals_id=get_argp('pals_id'); //这里没过滤 $pals_name=get_argp('pals_name');
if(!empty($pals_id)){ $title=$user_name.$ea_langpackage->ea_invite_participate.$event_name.$ea_langpackage->ea_activity; $scrip_content=$user_name.$ea_langpackage->ea_invite_participate.'<a href="home.php?h='.$user_id.'&app=event_space&event_id='.$event_id.'" target="_blank">'.$event_name.'</a>'.$ea_langpackage->ea_activity.'<br />'.$ea_langpackage->ea_you_can.'<a href="javascript:void(0)" onclick="join_event('.$event_id.')">'.$ea_langpackage->ea_accept_invite.'</a>'.$ea_langpackage->ea_or_view.'<a href="home.php?h='.$user_id.'&app=event_space&event_id='.$event_id.'" target="_blank">'.$ea_langpackage->ea_event_details.'</a>'; foreach($pals_id as $key => $value){ $sql="insert into $t_event_invite (event_id,user_id,user_name,to_user_id,to_user_name,dateline) values ($event_id,$user_id,'$user_name','$value','".$pals_name[$key]."',".time().")"; $dbo->exeUpdate($sql); echo $sql; exit;
然后直接foreach后也没过滤 直接带入了查询中。
short_check
未能联系到厂商或者厂商积极拒绝