PHPWIND latest version of querybuilder. class. php page, the vulnerability and the Fix-vulnerability warning-the black bar safety net
2011-08-28T00:00:00
ID MYHACK58:62201131704 Type myhack58 Reporter 佚名 Modified 2011-08-28T00:00:00
Description
Brief description:
phpwind in the realization of a placeholder for the SQL process, the code quality appears a small black point.
Detailed description:
In
phpwind/lib/utility/querybuilder.class.php
_parseStatement function within the
在 /phpwind/actions/ajax/leaveword.php
A reference at the
Line 7 line 8
$db->update(pwQuery::buildClause("UPDATE :pw_table SET leaveword=" . S::sqlEscape($atc_content) . "$sqladd WHERE pid=:pid AND tid=:tid", array($pw_posts, $pid, $tid)));
Didn't consider the$atc_content may be a placeholder
Also did not consider the pid should be a number, taken directly a string
Line: 3 1
But since the PW is replaced by the equal sign, replacing),cannot lead to very seriousSQL injectionvulnerabilities.
When submitting pid=asd, atc_content:pid case tips
Query Error: UPDATE pw_posts SET leaveword= ' 'asd' ' WHERE pid= 'asd' AND tid="
Repair solutions:
You may globally forget about the replacement for HTML entity, this can also try :)
Official has released the patch, please upgrade
{"id": "MYHACK58:62201131704", "hash": "e576b8d6fa2d9686506830e4355cb289c8c0552c76a1c6c6d4b5182f1bafafcf", "history": [], "published": "2011-08-28T00:00:00", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d17d651691b96353ebea7551550f6d93", "key": "description"}, {"hash": "28355227034964671a976db3b2da7e3e", "key": "href"}, {"hash": "7501604c89860a9e350fa28f354c71bb", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "7501604c89860a9e350fa28f354c71bb", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "645396391020478112635e14b34a0f8b", "key": "reporter"}, {"hash": "35f0c658f3f699a3ba7e640d95ea2d4a", "key": "title"}, {"hash": "0665a8b0792e65b50ab13aef58a018dc", "key": "type"}], "type": "myhack58", "objectVersion": "1.2", "references": [], "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-11-12T18:09:49"}, "vulnersScore": 7.5}, "cvelist": [], "modified": "2011-08-28T00:00:00", "title": "PHPWIND latest version of querybuilder. class. php page, the vulnerability and the Fix-vulnerability warning-the black bar safety net", "viewCount": 1, "description": "Brief description: \nphpwind in the realization of a placeholder for the SQL process, the code quality appears a small black point. \nDetailed description: \nIn \nphpwind/lib/utility/querybuilder.class.php \n_parseStatement function within the\n\n\u5728 /phpwind/actions/ajax/leaveword.php \nA reference at the \nLine 7 line 8 \n$db->update(pwQuery::buildClause(\"UPDATE :pw_table SET leaveword=\" . S::sqlEscape($atc_content) . \"$sqladd WHERE pid=:pid AND tid=:tid\", array($pw_posts, $pid, $tid)));\n\nDidn't consider the$atc_content may be a placeholder \nAlso did not consider the pid should be a number, taken directly a string \nLine: 3 1\n\nS::gp(array( \n'pid', \n'atc_content', \n'ifmsg' \n), 'P');\n\nResult[SQL injection](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>)\n\nBut since the PW is replaced by the equal sign, replacing),cannot lead to very serious[SQL injection](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>)vulnerabilities. \nWhen submitting pid=asd, atc_content:pid case tips \nQuery Error: UPDATE pw_posts SET leaveword= ' 'asd' ' WHERE pid= 'asd' AND tid=\" \n\n\nRepair solutions:\n\n\nYou may globally forget about the replacement for HTML entity, this can also try \uff1a\uff09\n\nOfficial has released the patch, please upgrade\n", "href": "http://www.myhack58.com/Article/html/3/62/2011/31704.htm", "bulletinFamily": "info", "reporter": "\u4f5a\u540d", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2016-11-12T18:09:49"}
