mirror of
https://github.com/lkddi/nexusphp.git
synced 2026-04-14 04:20:49 +08:00
ce05680219
* 修复趣味盒未授权访问漏洞 趣味盒页面未做鉴权游客可以任意查看或发送内容 * 修复sql注入漏洞 * 修复sql注入 详见描述 代码第19行 if (!is_valid_id($class) && $class != 0) 如果class 为"sleep(5)" 虽然过不了is_valid_id校验 但是由于php 弱类型 非数字开头的字符串 最终会判断为 $class = 0 绕过了校验 另外建议is_valid_id 改为更直接的intval 将用户输入的的数据强制转换成int 防止sql注入
36 lines
1.2 KiB
PHP
36 lines
1.2 KiB
PHP
<?php
|
|
require "../include/bittorrent.php";
|
|
if ($_SERVER["REQUEST_METHOD"] != "POST")
|
|
stderr("Error", "Permission denied!");
|
|
dbconn();
|
|
loggedinorreturn();
|
|
|
|
if (get_user_class() < UC_ADMINISTRATOR)
|
|
stderr("Sorry", "Permission denied.");
|
|
|
|
$sender_id = ($_POST['sender'] == 'system' ? 0 : (int)$CURUSER['id']);
|
|
$dt = sqlesc(date("Y-m-d H:i:s"));
|
|
$msg = trim($_POST['msg']);
|
|
if (!$msg)
|
|
stderr("Error","Don't leave any fields blank.");
|
|
$updateset = $_POST['clases'];
|
|
if (is_array($updateset)) {
|
|
foreach ($updateset as &$class) {
|
|
$class=intval($class);
|
|
if (!is_valid_id($class) && $class != 0)
|
|
stderr("Error","Invalid Class");
|
|
}
|
|
}else{
|
|
if (!is_valid_id($updateset) && $updateset != 0)
|
|
stderr("Error","Invalid Class");
|
|
}
|
|
$subject = trim($_POST['subject']);
|
|
$query = sql_query("SELECT id FROM users WHERE class IN (".implode(",", $updateset).")");
|
|
while($dat=mysql_fetch_assoc($query))
|
|
{
|
|
sql_query("INSERT INTO messages (sender, receiver, added, subject, msg) VALUES ($sender_id, {$dat['id']}, $dt, " . sqlesc($subject) .", " . sqlesc($msg) .")") or sqlerr(__FILE__,__LINE__);
|
|
}
|
|
|
|
header("Refresh: 0; url=staffmess.php?sent=1");
|
|
?>
|