CmsTop Media Edition somewhere in the sql injection vulnerabilities-vulnerability warning-the black bar safety net

2015-08-29T00:00:00
ID MYHACK58:62201566340
Type myhack58
Reporter 佚名
Modified 2015-08-29T00:00:00

Description

The problem occurs in uc. php interface,not the right to judge the UC interface is turned on,and the key is again the default.

Because the code in their own closed the GPC, it will lead to injection.

$set= setting('member');

$set['uc_dbtablepre'] = "'.$ set['uc_dbname'].".'.$ set['uc_dbtablepre'];

$set = array_change_key_case($set, CASE_UPPER);

foreach($set as $k => $v) {

if(preg_match('/^UC_/',$k)) define($k,$v);

}

//In the database to identify the configuration data. Then set as constants.

if(! defined('IN_UC')) { //if did not see the set IN_UC constant place, so the condition is satisfied

if(MAGIC_QUOTES_GPC) {

$get = _stripslashes($get); //if you turn on the GPC, then just cancel escape.

}

Since the uc interface using your own database connection,we just find a function to call to

function renameuser($get, $post) {

$uid = $get['uid'];

$usernameold = $get['oldusername'];

$usernamenew = $get['newusername'];

if(! API_RENAMEUSER) {

return API_RETURN_FORBIDDEN;

}

$this->db->query("UPDATE #table_member SET username='$usernamenew' WHERE userid='$uid'");

return API_RETURN_SUCCEED;

}

This is a good point ,you can update any account password, can also be injected back significantly. The Administrator at the same table.

There synlogin function can log in to any account.

This cms with a large site or a very much.

Case http://www.cmstop.com/case/