Release date: 2011-03.24
Author: tenzy
Affected Version: PHPCMS.
Http://www.phpcms.cn
Vulnerability Type: design defect
Vulnerability Description: You can directly register a VIP member through a pass.
Detailed description:
If ($ action = member_add) {$ userinfo [phpssouid] = isset ($ arr [uid])? $ Arr [uid]: exit (0); $ userinfo [encrypt] = isset ($ arr [random])? $ Arr [random]: exit (0); $ userinfo [username] = isset ($ arr [username])? $ Arr [username]: exit (0); $ userinfo [password] = isset ($ arr [password])? $ Arr [password]: exit (0); $ userinfo [email] = isset ($ arr [email])? $ Arr [email]:; $ userinfo [regip] = isset ($ arr [regip])? $ Arr [regip]:; $ userinfo [regdate] = $ userinfo [lastdate] = SYS_TIME; $ userinfo [modelid] = 10; $ userinfo [groupid] = 6; $ userid = $ db-> insert ($ userinfo, 1); if ($ userid) {exit (1) ;}else {exit (0 );}} the $ userinfo array is not initialized. You can directly post a form such as userinfo [vip] to overwrite the array.
Vulnerability proof: The $ userinfo array is not initialized. You can directly overwrite the Array Using a form such as POST userinfo [vip] = 1.
Solution: Initialize the $ userinfo array.