### 简要描述: 看到厂商迟迟不确认,所以再来一发,难不成厂商已经放假了?如果是开年求收留! ### 详细说明: 问题发生在 wap模块 apps/wap/Lib/Action/IndexAction.class.php 和 apps/w3g/Lib/Action/IndexAction.class.php 行665 ``` public function doDelete() { $weibo_id = intval($_GET['weibo_id']); if ($weibo_id <= 0) { redirect(U('wap/Index/index', 3, '参数错误')); } if ( !in_array($_GET['from'], array('index','weibo','doSearch','atMe','favorite')) ) { $_GET['from'] = 'index'; } $target = U('wap/Index/'.$_GET['from'], array('key'=>urlencode($_GET['key']),'page'=>$_GET['page'])); $data['id'] = $weibo_id; $detail = api('WeiboStatuses')->data($data)->show(); $data['source_table_name'] = $detail['app_row_table']; $res = api('WeiboStatuses')->data($data)->destroy(); if ($res) { redirect($target , 1, '删除成功'); }else { redirect($target, 3, '删除失败,请稍后重试'); } } ``` 这里没有判断身份就直接del了! 这个文件还有 ``` public function doUnFavorite() { $weibo_id = intval($_GET['weibo_id']); if ($weibo_id <= 0) { redirect(U('wap/Index/index', 3, '参数错误')); } if ( !in_array($_GET['from'],...
### 简要描述: 看到厂商迟迟不确认,所以再来一发,难不成厂商已经放假了?如果是开年求收留! ### 详细说明: 问题发生在 wap模块 apps/wap/Lib/Action/IndexAction.class.php 和 apps/w3g/Lib/Action/IndexAction.class.php 行665 ``` public function doDelete() { $weibo_id = intval($_GET['weibo_id']); if ($weibo_id <= 0) { redirect(U('wap/Index/index', 3, '参数错误')); } if ( !in_array($_GET['from'], array('index','weibo','doSearch','atMe','favorite')) ) { $_GET['from'] = 'index'; } $target = U('wap/Index/'.$_GET['from'], array('key'=>urlencode($_GET['key']),'page'=>$_GET['page'])); $data['id'] = $weibo_id; $detail = api('WeiboStatuses')->data($data)->show(); $data['source_table_name'] = $detail['app_row_table']; $res = api('WeiboStatuses')->data($data)->destroy(); if ($res) { redirect($target , 1, '删除成功'); }else { redirect($target, 3, '删除失败,请稍后重试'); } } ``` 这里没有判断身份就直接del了! 这个文件还有 ``` public function doUnFavorite() { $weibo_id = intval($_GET['weibo_id']); if ($weibo_id <= 0) { redirect(U('wap/Index/index', 3, '参数错误')); } if ( !in_array($_GET['from'], array('index','detail','weibo','doSearch','atMe','favorite')) ) { $_GET['from'] = 'index'; } $_GET['key'] = urlencode($_GET['key']); $target = U('wap/Index/'.$_GET['from'], array('weibo_id'=>$weibo_id, 'key'=>$_GET['key'],'page'=>$_GET['page'])); $data['id'] = $weibo_id; // $res = api('Favorites')->data($data)->destroy(); $res = model('Collection')->delCollection($data['id'],'feed'); if ($res) { redirect($target, 1, '取消成功'); }else { redirect($target, 3, '取消失败,请稍后重试'); } } ``` 接着 w3g模块的收藏删除功能也没有权限判断 ``` public function doUnFavorite() { $type = empty($_POST['type'])?$type='feed':$type=$_POST['type']; $weibo_id = intval($_POST['feed_id']); if ($weibo_id <= 0) { // redirect(U('w3g/Index/index', 3, '参数错误')); echo '参数错误'; exit(); } $data['id'] = $weibo_id; // $res = api('Favorites')->data($data)->destroy(); $res = model('Collection')->delCollection($data['id'],$type); // dump($res); if ($res) { echo '1'; }else { echo '0'; } } ``` ### 漏洞证明: 在登录状态下访问 http://xxxx/index.php?app=wap&mod=Index&act=doDelete&weibo_id=2&from=index&page=1 weibo_id=这里是要删除的微博ID号! 即可删除别人的微博!
