batch.viewlink.php 查看同標題書籤 BUG

bluelovers · 发表于 2007-7-11 03:13:36

batch.viewlink.php 查看同標題書籤
很嚴重的沒有進行參數過濾轉換
導致書籤標題可以造成這樣子的漏洞

另外明明有登入卻在SQL 錯誤提示上是顯示guest
這也代表他SQL錯誤時無法判斷登入的使用者是誰

SupeSite info: MySQL Query Error

User: guest
Time: 2007-7-11 3:02am
Script: /batch.viewlink.php

SQL: SELECT i.* FROM [Table]spaceitems i WHERE i.subject LIKE '%LULU's ROOM - y%'
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's ROOM - y%'' at line 1
Errno.: 1064

An error report has been dispatched to our administrator.

茄子 · 发表于 2007-7-11 09:21:34

将有问题的页面地址发出来看看

bluelovers · 发表于 2007-7-11 20:35:25

http://x.bluelovers.net/batch.vi ... ject&itemid=637

茄子 · 发表于 2007-7-12 10:44:33

谢谢反馈

		自动登录	找回密码
密码			立即注册

batch.viewlink.php 查看 同標題書籤 BUG

batch.viewlink.php 查看同標題書籤 BUG