Vulnerability and repair of the most popular group buying program

This vulnerability is very serious and directly affects the order information of the website. It was found in the commercial version CV1.6.1490.

Cause:

When the user enters the order page (/team/buy. php? <Input type = "hidden" name = "id" value = "{$ order [id]}"/>, this $ order [id] is used to store the user's previous payment order id, which is the SQL Injection portal.

Criteria 1:

Modify <input type = "hidden" name = "id" value = "any order id"/> and submit the form, the order information of this order will overwrite the order information of the corresponding order id, but the payment status will not be changed. If you place an order before the group purchase is successful, the coupon information will be sent to the user.

Criteria 2:

Modify <input type = "hidden" name = "id" value = "SQL statement"/> to cause dangerous SQL injection.

Solution:

There is a sentence about line 1 (Row 3) of team/buy. php (or wap/buy. php ).

If ($ flag = $ table-> Update ($ insert), you can change Update to Insert as an emergency solution.

Because $ table variable uses $ table = new Table (order, $ _ POST); for initialization, once $ _ POST [id] is not empty, the value is updated to the corresponding record as the primary key query.

In addition, the DB Update method in DB. class. php also has a vulnerability, which makes SQL Injection possible. There are around 284th rows.

The $ id value in else $ condition = "'$ pkname' = $ id"; is not processed, so that the value in input is directly transferred to the SQL statement, which is very dangerous.

Solution:

Filter the above parameters and wait for official upgrade