74cms (20141112) Unauthorized Access
Unauthorized access to others' resumes
This vulnerability was later thought of as high-risk. Why?
You can send the resume (resume_id) of any account to any job (job_id) published by any company, causing confusion.
Wap_apply.php:
Elseif ($ act = 'apply _ add') {$ _ POST = array_map ("utf8_to_gbk", $ _ POST); $ SQL = "select * from ". table ("personal_jobs_apply "). "where resume_id = ". intval ($ _ POST ["resume_id"]). "and jobs_id = ". intval ($ _ POST ["jobs_id"]). ""; $ row = $ db-> getone ($ SQL); // The preceding SQL statement directly adds the post jobid and resumeid to the query ......}
First, register three accounts: test, testbbb [these two are personal accounts] And Admin111 [This is a company account]:
Both test and testbbb have their own resumes:
Admin111 released two positions and testbbb applied for the second position, as shown below:
Modify the packet capture parameters. Of course, jobid can also be changed as needed:
Admin111 company found that his position was applied, and the result was that the resume of the test account was denied authorization:
Solution:
session[uid]