X-pad guestbook there is a great security-vulnerability warning-the black bar safety net

ID MYHACK58:62200717602
Type myhack58
Reporter 佚名
Modified 2007-11-14T00:00:00


This program can search http://www. baidu. com/baidu? wd=x-pad&cl=3x-pad the keywords.。 On this guestbook, I found a modified version of the drawing: "Based on the text of the php guestbook,easy to install,powerful,good safety,the appearance of custom is strong,is a very useful guest book, http://7y2.51.net/gb" Security is not he counted. We view!

We first see him on the write data portion of the

class Post { function Main() { global $General, $HTTP_POST_VARS, $User, $txt; if(Invalid($HTTP_POST_VARS[user])) { $Main = Prompt("$txt[1 6 8]", "index. php? mod=register"); } elseif(trim(($HTTP_POST_VARS[name]) != "" || $User->Auth) && trim($HTTP_POST_VARS[subject]) != "" && trim($HTTP_POST_VARS[message]) != "") { if($User->Auth) { $PosterName = $User->Name; $Email = $User->Email; $HomePage = $User->Homepage; $QQ = $User->QQ; $Flag = 1; } else { if($HTTP_POST_VARS[psw] == "") { $PosterName = $HTTP_POST_VARS[name]; $Email = $HTTP_POST_VARS[email]; $HomePage = $HTTP_POST_VARS[homepageurl]; $QQ = $HTTP_POST_VARS[qq]; $Flag = 0; } elseif(Verify($HTTP_POST_VARS[name], $HTTP_POST_VARS[psw])) { include ("Users/$HTTP_POST_VARS[name]. php"); $PosterName = $HTTP_POST_VARS[name]; $Email = $User_EMail; $HomePage = $User_Homepage; $QQ = $User_QQ; $Flag = 1; } else { $Main = Prompt("$txt[1 6 9]", "index. php? mod=post"); return $Main; } } include ("Sources/SRC_list.php"); $idx->Open(); $idx->Add($HTTP_POST_VARS[subject], $PosterName, $Email, $HomePage, $QQ, $HTTP_POST_VARS[message], $Flag, $HTTP_POST_VARS[ns] ? "1" : "0"); $idx->Close();

Oh, from this sentence to see it~ $Email = $HTTP_POST_VARS[email]; Oh, not through any test, from that to you directly. Oh, look carefully at this piece of code it!!!! include ("Sources/SRC_list.php"); $idx->Open(); $idx->Add($HTTP_POST_VARS[subject], $PosterName, $Email, $HomePage, $QQ, $HTTP_POST_VARS[message], $Flag, $HTTP_POST_VARS[ns] ? "1" : "0"); $idx->Close();

Oh, see it? Didn't see carefully point Ah~~the data write section have to care Oh!! In to the you look at the Sources/SRC_list. php how to write, I'm dizzy, how is he around reference data!

$opt = FileWrite($Settings->ListTopicsFile, $data);

Data processing of the good complex Ah~very hard to speak clearly, everybody under the code to see what you know. In fact, IP and browser information, in addition there is the theme are not filtered directly written into./ List/ListTopics. php in this file to call, really speechless Ah! Security was less than home! The explanation is completed, have don't understand the continued discussion?

Use way: Find a guestbook, the point of the message, in the subject write the code! Oh, suppose you want to register before you can leave a message we will register slightly, with regard to the registration besides the sentence, the registration part didn't filter it!!! This self-study!