91736cms cookie injection vulnerability-vulnerability warning-the black bar safety net

2012-10-27T00:00:00
ID MYHACK58:62201235319
Type myhack58
Reporter 佚名
Modified 2012-10-27T00:00:00

Description

Re-read under 9 1 7 3 6 before that getip vulnerability has been patch on.

漏洞 文件 :system/modules/member/index.php

public function edit(){

if(empty($_COOKIE['member_user'])||empty($_COOKIE['member_userid'])){

showmsg(C("admin_not_exist"),"index. php? m=member&f=login");

}

$userid=$_COOKIE['member_userid'];

$info=$this->mysql->get_one("select * from ". DB_PRE."member where userid=$userid");//vulnerability is here,$userid didn't filter directly into the database query.

$input=base::load_class('input');

$field=base::load_cache("cache_field_member","_field");

$fields="";

foreach($field as $value){

$fields.="& lt;tr>n";

$fields.="& lt;td align="right">".$ value['name']."£ o</td>n";

$fields.="& lt;td>".$ input->$value'formtype for'." ".$ value['explain']."& lt;/td>n";

$fields.="& lt;/tr>n";

}

assign('member',$info);

assign("fields",$fields);

template("member/edit");

}

In fact, there is a function edit_save also have the same vulnerability,empathy,however, is an update of the injection

Method presumably everyone,I used the Firefox plug-in edit cookies to demonstrate the following:

function edit:

!

This account is the password it is injected out:

!

function edit_save:

!