Multiple Vulnerability Analysis in Simplog

I heard from my friends that there are many vulnerabilities in the simplog, so let's take a look at how insecure his program is. Because of time issues, I will analyze them from the code. I will not write this part for testing !!! It's about to get to bed. Arbitrary File delete/adodb/adodb-csvlib.inc.php if (strncmp (PHP_ OS, 'win', 3) = 0) {279 // skip the decimal place 280 $ mtime = substr (str_replace ('', '_', microtime (), 2); 281 // getmypid () actually returns 0 on Win98-never mind! 282 $ tmpname = $ filename. uniqid ($ mtime). getmypid (); 283 if (! ($ Fd = @ fopen ($ tmpname, 'A') return false; 284 $ OK = ftruncate ($ fd, 0); 285 if (! Fwrite ($ fd, $ contents) $ OK = false; 286 fclose ($ fd); 287 chmod ($ tmpname, 0644 ); 288 // the tricky moment 289 @ unlink ($ filename); // Arbitrary File Deletion vulnerability 290 if (! @ Rename ($ tmpname, $ filename) {291 unlink ($ tmpname); // Arbitrary File Deletion vulnerability 292 $ OK = false; 293} 294 if (! $ OK) {295 if ($ debug) ADOConnection: outp ("Rename $ tmpname". ($ OK? 'OK': 'failed'); 296} 297 return $ OK; 298} $ filename and $ tmpname parameters are not processed and directly entered into the unlink deletion function, thus, the file deletion vulnerability occurs. SQL Injection/blocksadmin. php if (! Is_numeric ($ blogid) {17 $ blogid = $ _ REQUEST ['blogid']; 18 19 if (! Is_numeric ($ blogid) {20 $ res = $ db-> Execute ("select * from blog_list "); 21 $ blogid = $ res-> fields ['blog _ id']; 22} 23} 24 25 $ SQL = "select * from blog_blocks where blog_id = $ blogid order by blk_order"; 26 $ res = $ db-> Execute ($ SQL ); // $ blogid is not processed and directly jumps to the SQL query statement 45 if ($ res-> fields ['blk _ type_id '] = 1) {46 $ SQL = "SELECT * from blog_categories where blog_id = $ blogid order by cat_name"; // inject the second 48 $ re S2 = $ db-> Execute ($ SQL); 49 while (! $ Res2-> EOF) {50 echo "<a href = \" archive. php? Blogid = $ blogid & cid = ". $ res2-> fields ['cat _ id']. "\"> ". $ res2-> fields ['cat _ name']. "</a> <br> \ n"; 51 $ res2-> MoveNext (); 52} 53 54} elseif ($ res-> fields ['blk _ type_id '] = 2) {55 56 $ res2 = $ db-> Execute ("select * from blog_rss where rss_id = ". $ res-> fields ['rss _ id']); // there are a lot of SQL Injection pages in the third injection. Just analyze a page, several other pages have such vulnerabilities. First, $ blogid is directly jumped into the SQL query statement without being processed, and then $ res-> fields does not...