Country micro-PHP168 appeared a magic array, can cause the whole station to the user data leakage. The leaked content includes total Station user passwords in cipher text, email, password, salt, IP and other sensitive information.
PHP168 program built-in“user”module contains the user profile display page. In many practical scenarios, this page is not the front Desk use, but can be directly through the URL access. Page routing is:/homepage.php/[username]/member-profile
To PHP168 official demo site, for example, to view any user information page link for:
Since the module code appears in the phrase the magic of the array, causing the user data within the table all data is treated as an array out directly displayed.
The vulnerabilities affect the use of the CMS system of the site, to PHP168 web site customer case as an example:
Remove the output