推荐日志

phpbb2.0.12全路径泄露漏洞

[ 2007-03-25 02:41:05 | 作者: sun ]
字体大小: | |
phpbb是强大的可升级的开放源代码电子公告系统。最新的版本和低版本都存在路径泄露问题。

测试方法:

论坛路径/viewtopic.php?p=6&highlight=\[xiaohua]

将会出现下述文字:

Warning: Compilation failed: missing terminating ] for
character class at offset 20 in /home/nst/forum/viewtopic.php(1110) :
regexp code on line 1






问题代码:

Here is the problem:
-----[ Start Vuln Code ] ------------------------------------

1106: if ($highlight_match)
1107: {
1108: // This was shamelessly 'borrowed' from volker at multiartstudio dot de
1109: // via php.net's annotated manual
1110: $message = str_replace('\"', '"', \
substr(preg_replace(&#39;#(\>(((?>([^><]+|(?R)))*)\<))#se&#39;, "preg_replace(&#39;#\b(" . \
$highlight_match . ")\b#i&#39;, &#39;<span style=\"color:#" . $theme[&#39;fontcolor3&#39;] . \
"\"><b>\\\\1</b></span>&#39;, &#39;\\0&#39;)", &#39;>&#39; . $message . &#39;<&#39;), 1, -1));
1111: }


解决方法:

magic_quotes_gpc = On
magic_quotes_sybase = Off


在php.ini中同时设置为On

评论Feed 评论Feed: http://www.lziss.com/blog/feed.asp?q=comment&id=122
UTF-8 Encoding 引用链接: http://www.lziss.com/blog/trackback.asp?id=122

这篇日志没有评论.

发表
表情图标
[1] [2] [3] [4]
[5] [6] [7] [8]
[9] [10] [11] [12]
[13] [14] [15] [16]
[17] [18] [19] [20]
[21] [22] [23] [24]
[25] [26] [27] [28]
[29] [30] [31] [32]
[33] [34] [35]
UBB代码
转换链接
表情图标
悄悄话
用户名:   密码:   注册?