Combination of anwsion Defects

Foreach handles improper brute-force paths, sets program defects, and bypasses the inclusion of global variables ---- variable Overwrite
(1). improper handling of foreach burst paths http://wenda.anwsion.com/search/ajax/search_result/ Defects: <? Php foreach ($ this-> search_result AS $ key => $ val) Code does not detect $ this-> whether search_result is null, and whether an array exists .... \ wenda \ views \ default \ inbox \ read_message.tpl.htm <? Php foreach ($ this-> list AS $ key => $ val) {Defects are the same. 2) program setting defects. http://wenda.anwsion.com/question/395 When you directly click the desktop zip download needs to register. In the source code to see: file/download/file_name-5qGM6Z2iLnppcA ==__ url-aHR0cDovL3dlbmRhLmFud3Npb24uY29tL3VwbG9hZHMvcXVlc3Rpb25zLzIwMTIwNjA3L2JkMGFhY2FhNjg2YzEyNDlkOTY1YzZjZWM5ZDEwY2Y1LnppcA = where: encoding = We base64 decoding. Final connection; http://wenda.anwsion.com/uploads/questions/20120607/bd0aacaa686c1249d965c6cec9d10cf5.zip = You do not need to log in to download. What if the recipient specifies a VIP user or has to register (requires an invitation code) before downloading ?? 3) override wenda \ system \ init. in php, if (@ ini_get ('register _ globals') {if ($ _ REQUEST) {foreach ($ _ request as $ name => $ value) {unset ($ name) ;}} this Code Program destroys variables when the global function is enabled globally to prevent serious consequences caused by malicious code assignment. but programmers do not understand that unset () only destroys local variables by default. let's test: <? Php if (@ ini_get ('register _ globals') {if ($ _ REQUEST) {foreach ($ _ request as $ name => $ value) {unset ($ name) ;}} print $. "<br>"; print $ _ GET [B];?> http://www.bkjia.com /Wenda/system/unset. php? A = 1 & B = 2 a variable is destroyed to achieve the purpose of the program. However :.... http://127.0.0.1:8080/wenda/system/unset.php?GLOBALS [A] = 1 & B = 2


When GLOBALS [a] is used to override global variables, the value of $ a can be successfully controlled ~~~~ There is a breakthrough in thinking: Why did the http://www.bkjia.com/Article/201212/174596.html super global variable $ _ REQUEST not read the $ _ COOKIE parameter? This is the default request_order = "GP" setting for php. ini after php 5.3, so you know! If you modify request_order = "GPC", $ _ REQUEST should be able to accept the parameter! So if php is more than 5.3, the variable overwrite vulnerability can be exploited again!Solution:Check whether the array is empty. Is the logic strict? I can't think of a good idea to overwrite the variable. I'll look at it later ..