PHPWIND latest version of querybuilder. class. php page, the vulnerability and the Fix-vulnerability warning-the black bar safety net

ID MYHACK58:62201131704
Type myhack58
Reporter 佚名
Modified 2011-08-28T00:00:00


Brief description: phpwind in the realization of a placeholder for the SQL process, the code quality appears a small black point. Detailed description: In phpwind/lib/utility/querybuilder.class.php _parseStatement function within the

在 /phpwind/actions/ajax/leaveword.php A reference at the Line 7 line 8 $db->update(pwQuery::buildClause("UPDATE :pw_table SET leaveword=" . S::sqlEscape($atc_content) . "$sqladd WHERE pid=:pid AND tid=:tid", array($pw_posts, $pid, $tid)));

Didn't consider the$atc_content may be a placeholder Also did not consider the pid should be a number, taken directly a string Line: 3 1

S::gp(array( 'pid', 'atc_content', 'ifmsg' ), 'P');

ResultSQL injection

But since the PW is replaced by the equal sign, replacing),cannot lead to very seriousSQL injectionvulnerabilities. When submitting pid=asd, atc_content:pid case tips Query Error: UPDATE pw_posts SET leaveword= ' 'asd' ' WHERE pid= 'asd' AND tid="

Repair solutions:

You may globally forget about the replacement for HTML entity, this can also try :)

Official has released the patch, please upgrade