Finecms 1.7.2 injection vulnerability-vulnerability warning-the black bar safety net

2012-11-23T00:00:00
ID MYHACK58:62201235687
Type myhack58
Reporter 佚名
Modified 2012-11-23T00:00:00

Description

漏洞 文件 :Client.Class.php 2 9 the rows at

public static function get_user_ip() {

if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {

$onlineip = getenv('HTTP_CLIENT_IP');

} elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {

$onlineip = getenv('HTTP_X_FORWARDED_FOR');

} elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {

$onlineip = getenv('REMOTE_ADDR');

} elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {

$onlineip = $_SERVER['REMOTE_ADDR'];

}

return $onlineip;

}

/ Obviously can forge a client_ip be injected /

RegsiterController.php 1 4 5 the rows at

private function reg($data) {

if (empty($data)) return false;

$data['groupid'] = 1;

$data['regdate'] = time();

$data['regip'] = client::get_user_ip();//use get_user_ip method,exploits this to produce.

$data['status'] = $this->memberconfig['status'] ? 0 : 1;

$data['modelid'] = (! isset($data['modelid']) || empty($data['modelid'])) ? $this->memberconfig['modelid'] : $data['modelid'];

if (! isset($this->membermodel[$data['modelid']])) $this->memberMsg('Membership model does not exist, please contact administrator.');

if ($this->memberconfig['uc_use'] == 1) {

if (uc_get_user($data['username'])) {

$this->memberMsg('the user no need to register, please log in directly to the activated!', url('member/login'), 1);

}

$uid = uc_user_register($data['username'], $data['password'], $data['email']);

if ($uid <= 0) {

if ($uid == -1) {

$this->memberMsg('user name illegal');

} elseif($uid == -2) {

$this->memberMsg('included to allow the registration of the words');

} elseif($uid == -3) {

$this->memberMsg('username already exists');

} elseif($uid == -4) {

$this->memberMsg('Email format is incorrect');

} elseif($uid == -5) {

$this->memberMsg('Email does not allow registration');

} elseif($uid == -6) {

$this->memberMsg('this Email is already registered');

} else {

$this->memberMsg('undefined');

}

} else {

$username = $data['username'];

}

}

$data['password'] = md5($data['password']);

$userid = $this->member->insert($data);

return $userid;

}

[1] [2] next