乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-28: 细节已通知厂商并且等待厂商处理中 2015-12-28: 厂商已经确认,细节仅向厂商公开 2016-01-07: 细节向核心白帽子及相关领域专家公开 2016-01-17: 细节向普通白帽子公开 2016-01-27: 细节向实习白帽子公开 2016-02-09: 细节向公众公开
未过滤
先看写入代码:/var/www/html/thinksaas/app/my/action/setting.php
case "citydo": $province = trim($_POST['province']); $city = trim($_POST['city']);//只过滤两处空白 //这里就直接写入数据库了 $new['my']->update('user_info',array( 'userid'=>$userid, ),array( 'province'=>$province, 'city'=>$city, )); tsNotice("常居地更新成功!"); break;
Update:
public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "`{$key}` = {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $value = $this->escape ( $value ); //只做了转义 //$vals [] = "`$key` = $value"; $vals [] = "{$key} = {$value}"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}"; return $this->db->query ( $sql ); }
再来看取出:/var/www/html/thinksaas/app/user/class.user.php
//获取一个用户的信息 function getOneUser($userid){ $strUser = $this->find('user_info',array( 'userid'=>$userid, )); if($strUser){ $strUser['username'] = tsTitle($strUser['username']); if($strUser['face'] && $strUser['path']){ $strUser['face'] = tsXimg($strUser['face'],'user',120,120,$strUser['path'],1); }elseif($strUser['face'] && $strUser['path']==''){ $strUser['face'] = SITE_URL.'public/images/'.$strUser['face']; }else{ //没有头像 $strUser['face'] = SITE_URL.'public/images/user_large.jpg'; } }else{ $strUser = ''; } return $strUser; //没任何过滤 }
过滤并编码
危害等级:中
漏洞Rank:10
确认时间:2015-12-28 23:02
感谢反馈,已经修复。
暂无