乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-07-22: 细节已通知厂商并且等待厂商处理中 2014-07-27: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-09-20: 细节向核心白帽子及相关领域专家公开 2014-09-30: 细节向普通白帽子公开 2014-10-10: 细节向实习白帽子公开 2014-10-17: 细节向公众公开
过滤不严格,xss可打后台。
输入:Protected/member/controller/inforController.php中 public function index() { if(!$this->isPost()){ $auth=$this->auth; $id=$auth['id']; $info=model('members')->find("id='{$id}'"); $this->info=$info; $this->path=__ROOT__.'/upload/member/image/'; $this->twidth=config('HEAD_W'); $this->theight=config('HEAD_H'); $this->display(); }else{ $id=intval($_POST['id']); $data['nickname']=in(trim($_POST['nickname'])); $acc=model('members')->find("id!='{$id}' AND nickname='".$data['nickname']."'"); if(!empty($acc['nickname'])) $this->error('该昵称已经有人使用~'); if (empty($_FILES['headpic']['name']) === false){ $tfile=date("Ymd"); $imgupload= $this->upload($this->uploadpath.$tfile.'/',config('imgupSize'),'jpg,bmp,gif,png'); $imgupload->saveRule='thumb_'.time(); $imgupload->upload(); $fileinfo=$imgupload->getUploadFileInfo(); $errorinfo=$imgupload->getErrorMsg(); if(!empty($errorinfo)) $this->alert($errorinfo); else{ if(!empty($_POST['oldheadpic'])){ $picpath=$this->uploadpath.$_POST['oldheadpic']; if(file_exists($picpath)) @unlink($picpath); } $data['headpic']=$tfile.'/'.$fileinfo[0]['savename']; } } $data['email']=$_POST['email']; //直接将$_POST[‘email’]传入,没有过滤,也没有对email的格式进行验证 $data['tel']=in($_POST['tel']); $data['qq']=in($_POST['qq']); model('members')->update("id='{$id}'",$data);//更新到数据库 $this->success('信息编辑成功~'); } }输出:Protected/apps/member/controller/adminmemberController.php public function edit() { if(!$this->isPost()){ $id=$_GET['id']; if(empty($id)) $this->error('参数错误'); $info=model('members')->find("id='$id'");//直接从数据库中查询 $info['rrmb']=$info['rmb']-$info['crmb']; $group=model('memberGroup')->select("id !='1'","id,name"); foreach ($group as $val) { $select.=($val['id']==$info['groupid'])?"<option selected='selected' value='{$val['id']}'>{$val['name']}</option>":"<option value='{$val['id']}'>{$val['name']}</option>"; } $this->select=$select; $this->info=$info; $this->display();//调用Protected/apps/member/view/adminmember_edit.php }else{ 。。。。 } }Protected/apps/member/view/adminmember_edit.php中 <tr> <td align="right">邮箱:</td> <td><input type="text" name="email" value="{$info['email']}"></td> <td class="inputhelp"></td> </tr>直接输出没有过滤
管理会员信息时,显示email
还是过滤吧
危害等级:无影响厂商忽略
忽略时间:2014-10-17 11:10
暂无