### 简要描述:
Tipask一处越权操作可非法操作他人回答
### 详细说明:
首先盯紧目标回答,比如这个问题的第一个回答:
http://help.tipask.com/q-19260.html
[<img src="https://images.seebug.org/upload/201405/07224643fc64e1784fa41940ee0d32bd7ce83d2a.png" alt="t0153afe5e564f8b65c.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/07224643fc64e1784fa41940ee0d32bd7ce83d2a.png)
F12看一下评论按钮的链接,搞到回答的ID:
[<img src="https://images.seebug.org/upload/201405/07224710f3b8cda91ddd6f6063a1be90ca6028b4.png" alt="t01588ef8d0012c888e.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/07224710f3b8cda91ddd6f6063a1be90ca6028b4.png)
ID是3608,然后访问:
http://help.tipask.com/question/editanswer/3608/0.html
[<img src="https://images.seebug.org/upload/201405/07224958f8aa9d8f8b38baf43812a1dd4a4d40c1.png" alt="t012e6f977188496255.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/07224958f8aa9d8f8b38baf43812a1dd4a4d40c1.png)
提交之,修改成功:
[<img src="https://images.seebug.org/upload/201405/072255587f0228e3fcda07494061e88408c61f61.png" alt="t019d5dd200677bd009.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/072255587f0228e3fcda07494061e88408c61f61.png)
----------------------------------
```
问题出在: control/question.php
line323:
function oneditanswer() {
$navtitle = '修改回答';
$aid = $this->get[2] ? $this->get[2] : $this->post['aid'];
$answer = $_ENV['answer']->get($aid);
(!$answer) && $this->message("回答不存在或已被删除!", "STOP");
$question = $_ENV['question']->get($answer['qid']);
$navlist = $_ENV['category']->get_navigation($question['cid'], true);
if (isset($this->post['submit'])) {
$content = $this->post['content'];
$viewurl = urlmap('question/view/' . $question['id'], 2);
//检查审核和内容外部URL过滤
$status = intval(2 != (2 & $this->setting['verify_question']));
$allow = $this->setting['allow_outer'];
if (3 != $allow && has_outer($content)) {
0 == $allow && $this->message("内容包含外部链接,发布失败!", $viewurl);
1 == $allow && $status = 0;
2 == $allow && $content = filter_outer($content);
}
//检查违禁词
$contentarray = checkwords($content);
1 == $contentarray[0] && $status = 0;
2 == $contentarray[0] && $this->message("内容包含非法关键词,发布失败!", $viewurl);
$content = $contentarray[1];
$_ENV['answer']->update_content($aid, $content, $status);
if (0 == $status) {
$this->message('修改回答成功!为了确保问答的质量,我们会对您的回答内容进行审核。请耐心等待......', $viewurl);
} else {
$this->message('修改回答成功!', $viewurl);
}
}
include template("editanswer");
}
```
```
在348行跳到 model/answer.class.php的:
line138:
function update_content($aid, $content, $status = 0) {
$this->db->query("UPDATE `" . DB_TABLEPRE . "answer` set content='$content',status=$status WHERE `id` =$aid");
}
```
sql语句没有判断userid就直接更新了回答内容,导致漏洞的产生
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201405/072255587f0228e3fcda07494061e88408c61f61.png" alt="t019d5dd200677bd009.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/072255587f0228e3fcda07494061e88408c61f61.png)
京公网安备 11010502034610号
暂无评论