VULHUB ™

在global.php中有这样的代码: function login_logs($username,$password){ global $timestamp,$onlineip; $logdb[]=\"$username\\t$password\\t$timestamp\\t$onlineip\"; @include(PHP168_PATH.\"cache/adminlogin_logs.php\"); $writefile=\"<?php \"; $jj=0; foreach($logdb AS $key=>$value){ $jj++; $writefile.=\"\\$logdb[]=\\\"$value\\\";\"; if($jj>200){ break; } } write_file(PHP168_PATH.\"cache/adminlogin_logs.php\",$writefile); } 当登陆admin界面时,每次登陆的username都记录在cache/adminlogin_logs.php中,但是却没有对$username变量进行过滤,导致攻击者可以构造恶意$username变量,最终向cache/adminlogin_logs.php写入木马程序. Php168 v 4.0 <a href=\"http://bbs.php168.com/read-bbs-tid-140638-fpage-0-toread--page-1.html\" target=\"_blank\">http://bbs.php168.com/read-bbs-tid-140638-fpage-0-toread--page-1.html</a> 修复工具: <a href=\"http://www.365xl.net/files/PHP168_Fixer.rar\" target=\"_blank\">http://www.365xl.net/files/PHP168_Fixer.rar</a>

在global.php中有这样的代码: function login_logs($username,$password){ global $timestamp,$onlineip; $logdb[]=\"$username\\t$password\\t$timestamp\\t$onlineip\"; @include(PHP168_PATH.\"cache/adminlogin_logs.php\"); $writefile=\"<?php \"; $jj=0; foreach($logdb AS $key=>$value){ $jj++; $writefile.=\"\\$logdb[]=\\\"$value\\\";\"; if($jj>200){ break; } } write_file(PHP168_PATH.\"cache/adminlogin_logs.php\",$writefile); } 当登陆admin界面时,每次登陆的username都记录在cache/adminlogin_logs.php中,但是却没有对$username变量进行过滤,导致攻击者可以构造恶意$username变量,最终向cache/adminlogin_logs.php写入木马程序. Php168 v 4.0 <a href=\"http://bbs.php168.com/read-bbs-tid-140638-fpage-0-toread--page-1.html\" target=\"_blank\">http://bbs.php168.com/read-bbs-tid-140638-fpage-0-toread--page-1.html</a> 修复工具: <a href=\"http://www.365xl.net/files/PHP168_Fixer.rar\" target=\"_blank\">http://www.365xl.net/files/PHP168_Fixer.rar</a>