Discuz editpost file SQL Injection Vulnerability

Discuz editpost file SQL Injection Vulnerability

Release date:
Updated on:

Affected Systems:
Discuz! Discuz! 7. x
Discuz! Discuz! 6.x
Discuz! Discuz! 5.x
Unaffected system:
Discuz! Discuz! > 7.x
Description:
--------------------------------------------------------------------------------
Discuz! It is an Internet forum software developed with PHP.

Discuz! 5. x, 6.x, 7. in Version x, the editing function has a splicing problem for the data submitted by the user. As a result, the data entered by the user can be directly spliced into the code and SQL statements, resulting in the SQL injection vulnerability and code execution vulnerability.

This vulnerability can be exploited when a default function is enabled on the server and a common user account is available. This vulnerability affects Discuz! 7.x and its earlier versions have released a statement not to update these versions, so this issue will continue to exist. The restrictions on this issue are easy to break through and have a wide range of impacts. If a vulnerability is triggered, the administrator password can be obtained to further obtain webshell, which is very harmful.

<* Source: 'rain.
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Discuz!
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.discuz.net/

This article permanently updates the link address: