UWA 2.X General website construction system XXOO Gift Packs

UWA 2.X General website construction system XXOO Gift Packs

Welcome to UWA 2.X, which is a general site building system developed by AsThis based on PHP and MySQL. The program is simple, flexible, and has powerful scalability. It will be your first choice for easy site building.

#01 sensitive path leakage X1

/Core/lib/core/App. class. php row 14th

class App extends Pfa {/* initialization */public function __construct() {error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING);set_error_handler(array('App', 'app_error'));//[RUNTIME]App::build(); // pre-compile//[/RUNTIME]Url::dispatch(); // URL dispatch and define CTRLR_NAME, ACTN_NAME

The Pfa parent class does not verify whether the class exists and causes direct access.

Http: // localhost/core/lib/core/App. class. php

The absolute path will pop up.
 

This problem exists in cms. Please check the inheritance code of the parent class in detail.

#02 sensitive path leakage X2

/Core/tpl/page_trace.php 17th rows

<div id="pfa_page_trace" style="padding:10px;margin:10px;color:#666;line-height:18px;background:#fff;border:1px solid #e5e5e5;"><p style="padding:0;margin:0;border-bottom:1px solid #ccc;font-size:14px;color:#f60;"><?php echo L('_PAGE_TRACE_INFO_') ?></p><p style="padding:0 margin:5px 0 0;overflow:auto;height:300px;text-align:left;font-size:12px;"><?php foreach($_trace as $key=>$info){echo $key . ' : ' . $info . "<br />\r\n";}?></p></div>

The file does not have the define function file and directly calls the function, causing an error.
 

#03 SQL injection

/Core/lib/ext/AServer. class. php line 14-111 defines the class AServer, line 16-37 code is as follows:

public static function get_ip() {$ip = '';if(!empty($_SERVER['HTTP_CLIENT_IP'])) {$ip = $_SERVER['HTTP_CLIENT_IP'];}if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {$ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);if($ip) {array_unshift($ips, $ip);$ip = '';}for($i = 0; $i < count($ips); $i++) {if(!preg_match("/^(10|172\.16|192\.168)\./i", $ips[$i])) {$ip = $ips[$i];break;}}}$ip = $ip ? $ip : $_SERVER['REMOTE_ADDR'];$long = sprintf("%u", ip2long($ip));return $long ? $ip : '0.0.0.0';}

If both HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR are filtered, injection can be performed.

Because Firefox does not test the function, the specific application logs the IP address but does not filter the IP address when logging on to/admin. php. Ps: Add -- level = 3 for sqlmap.
 

 

  Solution:

Filter