discuz! 6.x/7.x global Variable Defense Bypass vulnerability

Affected Products:

Vulnerability Description:

Due to the php.ini settings in the php5.3.x version Request_order the default value is GP, resulting in discuz! 6.x/7.x global Variable Defense Bypass vulnerability include/global.func.php code: function daddslashes ($string, $force = 0) {!defined (' MAGIC_QUOTES_GPC ') && define (' MAGIC_QUOTES_GPC ', GET_MAGIC_QUOTES_GPC ()); MAGIC_QUOTES_GPC | | $force) {if (Is_array ($string)) {foreach ($string as $key = = $val) {$string [$key] = Daddslashes ($val, $force);}} else {$s Tring = Addslashes ($string);}} return $string;} include/common.inc.php: foreach (Array (' _cookie ', ' _post ', ' _get ') as $_request) {foreach ($$_request as $_key = $_ Value) {$_key{0}! = ' _ ' && $$_key = daddslashes ($_value);}} The code that simulates the Register_globals function will call the Addslashes () function to handle the variable value when the GPC is off, but this will not work if you use a variable such as $_get/$_post/$_cookie directly. However, there are few places where the $_get/$_post/$_cookie is directly used in DZ's source code, and there are fewer loopholes: (but there are other workarounds, in register_globals= On, you can bypass the above code by committing the GLOBALS variable. In order to prevent this, DZ has the following code: if (isset ($_request[' GLOBALS ') OR isset ($_files[' GLOBALS '])) {exit ( ' Request tainting attempted ');} So you can't commit the globals variable? $_request the value of this hyper-global variable is affected by the Request_order in the php.ini,In the latest php5.3.x series, the Request_order default is GP, which means that the default configuration $_request contains only $_get and $_post, not $_cookie, so we can commit the globals variable with a COOKIE. 

discuz! 6.x/7.x global Variable Defense Bypass vulnerability