Discuz! x某功能越权漏洞

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

### 简要描述: rt ### 详细说明: 相册功能,里面的编辑图片说明可以越权修改 在 source/include/spacecp/spacecp_album.php中 [code] foreach ($_POST['title'] as $picid => $value) {//这里遍历数据 if($value == $_GET['oldtitle'][$picid]) { continue; } $title = getstr($value, 150); $title = censor($title); if(censormod($title) || $_G['group']['allowuploadmod']) { $pic_status = 1; manage_addnotify('verifypic'); } else { $pic_status = 0; } $wherearr = array('picid'=>$picid); if(!$managealbum) $wherearr['uid'] = $_G['uid']; C::t('home_pic')->update($picid, array('title'=>$title, 'status' => $pic_status));//直接把$picid 当作where条件来update。所以能直接修改说明。 } [/code] ### 漏洞证明: 用2个账号来测试 [img src="http://static.wooyun.orghttps://images.seebug.org/upload/image/201409/2014092920001882940.png" alt="I"/] [img src="http://static.wooyun.orghttps://images.seebug.org/upload/image/201409/2014092920021477541.png" alt=".png"/] picid [img src="http://static.wooyun.orghttps://images.seebug.org/upload/image/201409/2014092920064686931.png"...

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息