VULHUB ™

### 简要描述： ### 详细说明： ``` <?php /** * [Discuz!] (C)2001-2099 Comsenz Inc. * This is NOT a freeware, use is subject to license terms * * $Id: function_connect.php 24725 2011-10-09 14:48:51Z yangli $ */ //这里没有加IN_DISCUZ常量判断 //直接包函了文件 require_once libfile('function/cloud'); function connect_output_javascript($jsurl) { return '<script type="text/javascript">_attachEvent(window, \'load\', function () { appendscript(\''.$jsurl.'\', \'\', 1, \'utf-8\') }, document);</script>'; } function connect_output_php($url, $postData = '') { global $_G; $response = dfsockopen($url, 0, $postData, '', false, $_G['setting']['cloud_api_ip']); $result = (array) unserialize($response); return $result; } ``` 所以直接访问这个文件是会报错的 ### 漏洞证明： TestUrl:http://www.test.com/source/function/function_connect.php

### 简要描述： ### 详细说明： ``` <?php /** * [Discuz!] (C)2001-2099 Comsenz Inc. * This is NOT a freeware, use is subject to license terms * * $Id: function_connect.php 24725 2011-10-09 14:48:51Z yangli $ */ //这里没有加IN_DISCUZ常量判断 //直接包函了文件 require_once libfile('function/cloud'); function connect_output_javascript($jsurl) { return '<script type="text/javascript">_attachEvent(window, \'load\', function () { appendscript(\''.$jsurl.'\', \'\', 1, \'utf-8\') }, document);</script>'; } function connect_output_php($url, $postData = '') { global $_G; $response = dfsockopen($url, 0, $postData, '', false, $_G['setting']['cloud_api_ip']); $result = (array) unserialize($response); return $result; } ``` 所以直接访问这个文件是会报错的 ### 漏洞证明： TestUrl:http://www.test.com/source/function/function_connect.php