Most soil buy the program commercial version CV1. 6. 1 4 9 0 vulnerability-vulnerability warning-the black bar safety net

2010-10-10T00:00:00
ID MYHACK58:62201028064
Type myhack58
Reporter 佚名
Modified 2010-10-10T00:00:00

Description

This vulnerability is very serious, will directly affect the website, the order information found in the commercial version CV1. 6. 1 4 9 to 0.

Problem cause:

The user enters the place an order page(/team/buy. php? id=xxx), the page exists in a hidden field<input type="hidden" name="id" value="{$order['id']}" />, this$order['id']for storing the user before the payment order id, sql injectionentry.

criteria 1: The

Modify the<input type="hidden" name="id" value="order id" />, and the form submitted, will present the order information to overwrite the corresponding order id of the order information, but the payment status is not modified. If the user is in the group buy is successful before under the order, the regiment tickets information is sent to the user.

criteria 2: The

Modify the<input type="hidden" name="id" value="sql statement" /> dangerouslysql injection.

Workaround:

在 team/buy.php(或 wap/buy.php the 1 2 2 row 1 0 7 rows or so, there is a

if ($flag = $table->Update($insert)), can be Update instead of Insert for the emergency programme.

Due to the$table variable using$table = new Table('order', $_POST);to the initialization, once the$_POST['id']is not empty, then its value will be used as primary key to query the update to the corresponding record.

In addition, the DB. class. php in the DB class's Update method is also the presence of vulnerabilities, so that thesql injectionthere may be. In the first 2 8 4 rows or so.

else $condition = "$pkname='$id'";$id value of the untreated, so that the input of the value is directly passed to sql statement, is very dangerous.