VULHUB ™

member.php代码: if(!empty($listgid) &amp;&amp; ($listgid == intval($_GET['listgid']))) { //这里用的等于[==]而不是全等[===]进行的比较,且$listgid并没有初始化:) $type = $adminid == 1 ? 'grouplist' : $type; } else { $listgid = ''; } ... $multipage = multi($num, $memberperpage, $page, &quot;member.php?action=list&amp;listgid=$listgid&amp;srchmem=&quot;.rawurlencode($srchmem).&quot;&amp;amp;order=$order&amp;amp;type=$type&quot;, $membermaxpages); Discuz 6.X 刚发布的dz7 bt版本[1]已经fix这个漏洞了: if(!empty($listgid) &amp;&amp; ($listgid = intval($_GET['listgid']))) { $type = $adminid == 1 ? 'grouplist' : $type; } else { $listgid = ''; } [1]:<a href=http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip target=_blank>http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip</a>

member.php代码: if(!empty($listgid) &amp;&amp; ($listgid == intval($_GET['listgid']))) { //这里用的等于[==]而不是全等[===]进行的比较,且$listgid并没有初始化:) $type = $adminid == 1 ? 'grouplist' : $type; } else { $listgid = ''; } ... $multipage = multi($num, $memberperpage, $page, &quot;member.php?action=list&amp;listgid=$listgid&amp;srchmem=&quot;.rawurlencode($srchmem).&quot;&amp;amp;order=$order&amp;amp;type=$type&quot;, $membermaxpages); Discuz 6.X 刚发布的dz7 bt版本[1]已经fix这个漏洞了: if(!empty($listgid) &amp;&amp; ($listgid = intval($_GET['listgid']))) { $type = $adminid == 1 ? 'grouplist' : $type; } else { $listgid = ''; } [1]:<a href=http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip target=_blank>http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip</a>