### 简要描述:
rt
### 详细说明:
相册功能,里面的编辑图片说明可以越权修改
在 source/include/spacecp/spacecp_album.php中
[code]
foreach ($_POST['title'] as $picid => $value) {//这里遍历数据
if($value == $_GET['oldtitle'][$picid]) {
continue;
}
$title = getstr($value, 150);
$title = censor($title);
if(censormod($title) || $_G['group']['allowuploadmod']) {
$pic_status = 1;
manage_addnotify('verifypic');
} else {
$pic_status = 0;
}
$wherearr = array('picid'=>$picid);
if(!$managealbum) $wherearr['uid'] = $_G['uid'];
C::t('home_pic')->update($picid, array('title'=>$title, 'status' => $pic_status));//直接把$picid 当作where条件来update。所以能直接修改说明。
}
[/code]
### 漏洞证明:
用2个账号来测试
[img src="http://static.wooyun.orghttps://images.seebug.org/upload/image/201409/2014092920001882940.png" alt="I"/]
[img src="http://static.wooyun.orghttps://images.seebug.org/upload/image/201409/2014092920021477541.png" alt=".png"/]
picid
[img src="http://static.wooyun.orghttps://images.seebug.org/upload/image/201409/2014092920064686931.png" alt="QQ截图20140929200213.png"/]
[img src="http://static.wooyun.orghttps://images.seebug.org/upload/image/201409/2014092920075860631.png" alt="QQ截图20140929200330.png"/]
提交,看原先那张图 说明已经变了
[img src="http://static.wooyun.orghttps://images.seebug.org/upload/image/201409/2014092920090323741.png" alt="QQ截图20140929200427.png"/]
京公网安备 11010502034610号
暂无评论