From ce05680219d3dddb7f274d4170e479264979efbb Mon Sep 17 00:00:00 2001 From: CZ Date: Wed, 19 May 2021 13:49:41 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D3=E4=B8=AA=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E=20(#15)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 修复趣味盒未授权访问漏洞 趣味盒页面未做鉴权游客可以任意查看或发送内容 * 修复sql注入漏洞 * 修复sql注入 详见描述 代码第19行 if (!is_valid_id($class) && $class != 0) 如果class 为"sleep(5)" 虽然过不了is_valid_id校验 但是由于php 弱类型 非数字开头的字符串 最终会判断为 $class = 0 绕过了校验 另外建议is_valid_id 改为更直接的intval 将用户输入的的数据强制转换成int 防止sql注入 --- public/fun.php | 1 + public/modrules.php | 2 +- public/takestaffmess.php | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/public/fun.php b/public/fun.php index 4c9a4aa6..8c246477 100644 --- a/public/fun.php +++ b/public/fun.php @@ -3,6 +3,7 @@ require_once("../include/bittorrent.php"); dbconn(); require_once(get_langfile_path()); require_once(get_langfile_path("",true)); +loggedinorreturn(); $action=$_GET["action"]; if (!$action) { diff --git a/public/modrules.php b/public/modrules.php index 60f303dc..02421ea2 100644 --- a/public/modrules.php +++ b/public/modrules.php @@ -38,7 +38,7 @@ elseif (isset($_GET["act"]) && $_GET["act"]=="addsect"){ header("Refresh: 0; url=modrules.php"); } elseif (isset($_GET["act"]) && $_GET["act"] == "edit"){ - $id = $_GET["id"]; + $id = intval($_GET["id"]); $res = @mysql_fetch_array(@sql_query("select * from rules where id='$id'")); stdhead("Edit rules"); //print(""); diff --git a/public/takestaffmess.php b/public/takestaffmess.php index d987b85a..2cb2ad69 100644 --- a/public/takestaffmess.php +++ b/public/takestaffmess.php @@ -15,7 +15,8 @@ if (!$msg) stderr("Error","Don't leave any fields blank."); $updateset = $_POST['clases']; if (is_array($updateset)) { - foreach ($updateset as $class) { + foreach ($updateset as &$class) { + $class=intval($class); if (!is_valid_id($class) && $class != 0) stderr("Error","Invalid Class"); }