VULHUB ™

vBulletin是一款开放源代码的PHP论坛程序。 vBulletin论坛的admincp/admincalendar.php文件没有正确地验证用户提交参数： -------------------[original source code]------------------ if($_POST[\'\'do\'\'] == \'\'saveholiday\'\') { $vbulletin-＞input-＞clean_array_gpc(\'\'p\'\', array( \'\'holidayid\'\' =＞ TYPE_INT, \'\'holidayinfo\'\' =＞ TYPE_ARRAY, \'\'month1\'\' =＞ TYPE_INT, \'\'day1\'\' =＞ TYPE_INT, \'\'month2\'\' =＞ TYPE_INT, \'\'day2\'\' =＞ TYPE_INT, \'\'period\'\' =＞ TYPE_INT, \'\'title\'\' =＞ TYPE_STR, \'\'description\'\' =＞ TYPE_STR, )); .. $db-＞query_write(\" UPDATE \" . TABLE_PREFIX . \"holiday SET allowsmilies = \" . $vbulletin-＞GPC[\'\'holidayinfo\'\'][\'\'allowsmilies\'\'] . \", recuroption = \'\'\" . $vbulletin-＞GPC[\'\'holidayinfo\'\'][\'\'recuroption\'\'] . \"\'\', recurring = \" . $vbulletin-＞GPC[\'\'holidayinfo\'\'][\'\'recurring\'\'] . \" WHERE holidayid = \" . $vbulletin-＞GPC[\'\'holidayid\'\'] ); ------------------[/original source code]------------------...

vBulletin是一款开放源代码的PHP论坛程序。 vBulletin论坛的admincp/admincalendar.php文件没有正确地验证用户提交参数： -------------------[original source code]------------------ if($_POST[\'\'do\'\'] == \'\'saveholiday\'\') { $vbulletin-＞input-＞clean_array_gpc(\'\'p\'\', array( \'\'holidayid\'\' =＞ TYPE_INT, \'\'holidayinfo\'\' =＞ TYPE_ARRAY, \'\'month1\'\' =＞ TYPE_INT, \'\'day1\'\' =＞ TYPE_INT, \'\'month2\'\' =＞ TYPE_INT, \'\'day2\'\' =＞ TYPE_INT, \'\'period\'\' =＞ TYPE_INT, \'\'title\'\' =＞ TYPE_STR, \'\'description\'\' =＞ TYPE_STR, )); .. $db-＞query_write(\" UPDATE \" . TABLE_PREFIX . \"holiday SET allowsmilies = \" . $vbulletin-＞GPC[\'\'holidayinfo\'\'][\'\'allowsmilies\'\'] . \", recuroption = \'\'\" . $vbulletin-＞GPC[\'\'holidayinfo\'\'][\'\'recuroption\'\'] . \"\'\', recurring = \" . $vbulletin-＞GPC[\'\'holidayinfo\'\'][\'\'recurring\'\'] . \" WHERE holidayid = \" . $vbulletin-＞GPC[\'\'holidayid\'\'] ); ------------------[/original source code]------------------ 可见未经任何过滤便在UPDATE查询中使用了来自$_POST的数组类型变量holidayinfo，这允许远程攻击者通过提交恶意请求执行SQL注入攻击。