Involved version:
^^^^^^^
Currently all versions (now 1.3Alpha is the highest version)
Describe:
^^^^^^
CTB is a real easy digital <11cn.org>; development and maintenance of the source Code open PHP Forum. Because of the flaw in its background management file validation, it can cause illegal users to add a forum Super administrator directly, thereby threatening the forum or server security.
Specific:
^^^^
CTB writing is very normative, code orderly, pleasing, is indeed a graceful program, especially its functional modules, really let the younger brother learn a. But the security aspect is worrying:
Look at the following code:
/admin/main.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Getting a Get variable
if (Is_array ($_get)) {
foreach ($_get as $k => $v) {
if (Is_array ($_get[$k])) {
foreach ($_get[$k] as $k 2=> $v 2) {
$return [$k] [$k 2] = $v 2;
}
} else {
$return [$k] = $v;
}
}
}
...
$mod = isset ($_get[' mod ')? $_get[' mod ']: $_post[' mod ';
if (!file_exists ($mod.). PHP "{
$mod = "Mainright";
}
Require_once ($mod. ") PHP ";
//-----------------------------------------------------------------------------
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.