CVE-2020-7700

CVE-2020-7700 affects phpjs. All versions up to 1.3.2 are vulnerable to Prototype Pollution via parse_str, enabling an attacker to modify Object.prototype. Notable sources (GHSA, OSV, NVD) corroborate prototype pollution and advise no widely fixed version; remediation guidance commonly suggests r...

Prototype Pollution

Overview phpjs is a community built php binding in javascript. Affected versions of this package are vulnerable to Prototype Pollution via parsestr. POC: require'phpjs'.parsestr"protopolluted=true",; console.logpolluted //true Remediation There is no fixed version for phpjs. Credit: Beomjin Lee...

PHP study notes and security vulnerabilities-vulnerability warning-the black bar safety net

System variables $POST // get the post data is a dictionary $GET // get get data, is a dictionary The error control operator PHP supports one error control operator:@the. When it is placed in a PHP expression, the expression may produce any error information is ignored. Variable default value Whe...

CVE-2007-3205

The parsestr function in 1 PHP, 2 Hardened-PHP, and 3 Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the...

phpcms v9用户登录处存在sql注入漏洞

password字段如果存在特殊字符，在传入到程序时仍然会被转义，而且在phpsso的login中使用的是username做数据库查询，而不是password。针对第一个问题我们可以使用二次url编码的方法来搞定，在解码之后程序还是用了parsestr对字符串进行了拆解，而这个函数还附带了解url编码的功能。所以，我们只需要在传password内容时传递%2527就可以让单引号出现在phpsso的变量中了。第二个问题也用到parsestr的功能，parsestr在解析“username=123&password=456”这样的字符串，会把它解析为：Array username=123,...

CmsEasy 5.6 /celive/live/header.php SQL注入漏洞

整个漏洞详情在书安杂志中进行了详细的说明。链接：https://www.secbook.net在parseObjXml 凼数中$rootTag 就是传入的 xml 中的第一个标签，返里判断是 xjxobj 还是 xjxquery当$rootTag 为 xjxquery 时将传入的参数内容通过 parsestr 处理 parsestr$sQuery, $aArray;然后当 getmagicquotesgpc == 1 == on的时候候，将传入的参数值反转义$newArray$sKey = stripslashes$sValue;进入postdata函数。function...

PHPCMS V9 /phpcms/modules/vote/index.php 代码执行漏洞

漏洞影响版本：phpcms v9.5.8漏洞分析：hpsso/index.php文件所有的操作都存在严重的注入问题，这个类文件的构造函数最先调用它的父构造函数，通过authkey来解析POST传入的data内容，解析后data中的内容会作为注册、登陆、删除用户等操作的内容依据，而这些操作都会将这些数据作为数据库查询语句使用。这个问题其实在XXX的《PHPCMS V9...

Easytalk V2.5 SQL注入一枚

简要描述： 看官网上更新到了2.5。。 漏洞是少了不少。。 不好找了。。。找了很久都没找到什么。。 全局GET POST 转义。 详细说明： Indexaction中 public function checkreset parent::tologin; $uModel=D'Users'; $urldata=$REQUEST'urldata'; parsestrbase64decode$urldata; $userid=intval$userid; $username=strreplacearray"'",'"'," ","",$username;...

PhpcmsV9 arbitrary user password modification logic vulnerability-vulnerability warning-the black bar safety net

I actually sent the first vulnerability, see Tick: PhpcmsV9 SQL injection 2 0 1 3-year new year the first Mentioned pass code: parsestrsysauth$POST'data', 'DECODE', $this-applist$this-appid'authkey', $this-data; In phpssoserver/phpcms/modules/phpsso/classes/phpsso. class. php. I leave it up to yo...

WordPress GRAND Flash Album Gallery SQL Injection / Disclosure / File Overwrite

waraxe-2012-SA094 - Multiple Vulnerabilities in Wordpress GRAND Flash Album Gallery Plugin ============================================================================================= Author: Janek Vind "waraxe" Date: 24. October 2012 Location: Estonia, Tartu Web:...

bo-blog任意变量覆盖漏洞

// go.php $qurl=$SERVER"REQUESTURI"; @list$relativePath, $rawURL=@explode'/go.php/', $qurl; $rewritedURL=$rawURL; // 来自$SERVER"REQUESTURI",可以任意提交的: ... $RewriteRules="/component/^/+/?/"; // 这个正则限制的不够细致,可以很轻易的绕过: ... $RedirectTo="page.php?pagealias=\1"; $i=0; foreach $RewriteRules as $rule if...

PHPCMS2008 1 0 0 5 2 7 version website management system to download an arbitrary file vulnerability-vulnerability warning-the black bar safety net

Phpcms is a PHP-based+Mysql architecture of the web content management system, it is an open-source PHP development platform. Phpcms uses a modular approach to the development, functional and easy to use to facilitate the expansion, for medium to large sites provide heavyweight website Building...

Memory corruption

The 1 parsestr, 2 pregmatch, 3 unpack, and 4 pack functions; the 5 ZENDFETCHRW, 6 ZENDCONCAT, and 7 ZENDASSIGNCONCAT opcodes; and the 8 ArrayObject::uasort method in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information memory contents or...

CVE-2010-2191

The 1 parsestr, 2 pregmatch, 3 unpack, and 4 pack functions; the 5 ZENDFETCHRW, 6 ZENDCONCAT, and 7 ZENDASSIGNCONCAT opcodes; and the 8 ArrayObject::uasort method in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information memory contents or...

PHPCMS2008 100527版本网站管理系统下载任意文件漏洞

phpcms2008sp4 下载任意文件漏洞发布后，27号官方的补丁是这样的： down.php ifpregmatch'/.php/i',$f || strpos$f, ":\" showmessage'地址有误'; //12行 没补丁前是这样的： ifpregmatch'/.php$/',$f || strpos$f, ":\" showmessage'地址有误'; //12行 可以看出两者的区别。 但同样是这个文件中： parsestr$ak;//8行 知道这里还有更好的利用方法了，再看文件： download.php if$m $fileurl =...

Input validation

The parsestr function in 1 PHP, 2 Hardened-PHP, and 3 Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the...

CVE-2007-3205

The parsestr function in 1 PHP, 2 Hardened-PHP, and 3 Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the...

PHP parse_str variables overwrite

Insufficient arguments validation allows to overwrite internal variables...

PHP parse_str() arbitrary variable overwrite

Title: PHP parsestr arbitrary variable overwrite Vendor: http://www.php.net/ Advisory: http://www.acid-root.new.fr/advisories/14070612.txt Author: DarkFig gmdarkfig at gmail dot com Written on: 2007/06/12 Released on: 2007/06/12 Risk level: Medium / High I.BACKGROUND Quote from php.net PHP is a...

security flaw

The parsestr function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the registerglobals directive via inputs that cause a request to be terminated due to the memorylimit setting, which causes PHP to set an internal flag that...