Release date:
Affected Versions:
V6
Vulnerability description:
In the do/job. php file:
...
} Elseif (ereg ("^ ([-_ 0-9a-zA-Z] +) $", $ _ GET [job]) | ereg ("^ ([-_ 0-9a-zA-Z] +) $ ", $ _ POST [job]) {
Require (dirname (_ FILE _). "/". "global. php ");
If (is_file (PHP168_PATH. "inc/job/$ job. php ")){
Include (PHP168_PATH. "inc/job/$ job. php ");
}
}
Well, if we enable the global function, we can use the gpc variable registration sequence to pass the regular expression judgment. However, php168 is very friendly and implements a function to simulate register_globals = on, in inc/common. inc. PHP file:
...
If (! Ini_get (register_globals )){
@ Extract ($ _ COOKIE, EXTR_SKIP );
@ Extract ($ _ FILES, EXTR_SKIP );
}
Foreach ($ _ POST as $ _ key =>$ _ value ){
! Ereg ("^ \ _ [A-Z] +", $ _ key) & $ _ key = $ _ POST [$ _ key];
}
Foreach ($ _ GET as $ _ key => $ _ value ){
! Ereg ("^ \ _ [A-Z] +", $ _ key) & $ _ key = $ _ GET [$ _ key];
}
...
Well, you can easily pass the above judgment, but the variable registration sequence here is somewhat different from the default variable registration sequence in gpc :) <* Reference
Html> http://hi.baidu.com/80vul_ B /blog/item/220bdad6af998ed4a144df9c.html
*>
SEBUG Security suggestions:
None
// Sebug.net []
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
