Ecmall several SQL injection vulnerability-vulnerability warning-the black bar safety net

2014-09-12T00:00:00
ID MYHACK58:62201453554
Type myhack58
Reporter 佚名
Modified 2014-09-12T00:00:00

Description

Search, find/app/seller_groupbuy. app. php there are 6 injection:

Are the files under the drop(),start(),finished(),desc(),cancel(),log()function in the id parameter

To finished (), for example:

function finished() { $id = empty($_GET['id']) ? 0 : $_GET['id'];//id parameter is not filtered if (!$ id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$ this->_ican($id, ACT)) //enter _ican function, follow up { $this->show_warning('Hacking Attempt'); return; } / Group information / $group = $this->_groupbuy_mod->get(array( 'conditions' => 'group_id=' . $id, 'fields' => 'group_name', ));

if (!$ this->_groupbuy_mod->edit($id, array('state' => GROUP_FINISHED, 'end_time' => gmtime ()))) { $this->show_warning($this->_groupbuy_mod->get_error());

return; } $content = get_msg('tobuyer_groupbuy_finished_notify', array('group_name' => $group['group_name'], 'id' => $id)); $this->_groupbuy_mod->sys_notice( $id, array('buyer'), ", $content, array('msg') );

$this->show_message('finished_ok'); }

_ican function code:

function _ican($id, $act = ") { $state_permission = array( GROUP_PENDING => array('start', 'edit', 'drop'), GROUP_ON => array('cancel', 'desc', 'log', 'finished', 'export_ubbcode'), GROUP_END => array('cancel', 'desc', 'finished', 'log'), GROUP_FINISHED => array('drop', 'log', 'view_order'), GROUP_CANCELED => array('drop', 'log') );

$group = $this->_groupbuy_mod->get(array( 'join' => 'belong_goods', 'conditions' => 'gb. group_id=' . $id . 'AND g. store_id=' . $this->_store_id,// id parameter is not filtered directly into the query 'fields' => 'gb. state', )); if (!$ group) { return false; // override or not the buy } if (empty($act)) { return $state_permission[$group['state']]; // return the buy this state allows the operation of the } return in_array($act, $state_permission[$group['state']]) ? true : false; // the buy this state is allowed to perform this action }