J'ais cru lire quelque part qu'il était possible de voir où il était passé avec les logs ? quelqu'un pourrait il m'expliquer.
ajann a découvert une vulnérabilité dans PHP Classifieds, qui pourrait être exploitée par des personnes malintentionnées pour conduire des attaques SQL.
L'entrée passée au paramètre "user_id" dans detail.php n'est pas correctement filtrée avant d'être utilisée dans une requête SQL. Cela pourrait être exploité pour manipuler les interrogations SQL en injectant du code SQL arbitraire.
La vulnérabilité est confirmée en version 7.1b. Les autres versions pourraient également être affectées.
Editez le code source pour s'assurer que l'entrée est correctement filtrée.
Voici mon detail php et comment filtrée l'entrée. Merci
<?
$lSearchEngineArray=array("Google", "Fast", "Slurp", "Ink", "Atomz", "Scooter", "Crawler", "MSNbot", "Poodle", "Genius");
$lIsSearchE=0;
foreach($lSearchEngineArray as $key => $val)
if(strstr($_SERVER['HTTP_USER_AGENT'], $val))
$lIsSearchE++;
if($lIsSearchE==0)
session_start();
include_once("admin/inc.php");
$ad_id=round(getParam("id",""));
$lPrint=getParam("print","");
// If setting is not set, use these defaults...
if (!$set_outer_color) { $set_outer_color = "#A9B8D1"; }
if (!$set_inner_color) { $set_inner_color = "#FFFFFF"; }
if (!$set_descr_color) { $set_descr_color = "#FFFFFF"; }
if (!isset($set_descr_cell)) { $set_descr_cell = 10; }
if (isset($preview)) { $ad_id = $preview; $validation = 0; }
if (!$ad_id)
criticalError(LA_ERROR,LA_ERROR_NO_ID);
if ($validation == 1 && getParam("preview","")=="") { $val_string = " AND ad_is_validated = 1"; } else { $val_string = ""; }
$sql_links = "select * from $ads_tbl, $cat_tbl, $usr_tbl where cat_id=ad_cat_id AND user_id=ad_owner AND ad_id=$ad_id $val_string";
$result_from_ad = q($sql_links);
$row_from_ad=mysql_fetch_array($result_from_ad);
if (mysql_num_rows($result_from_ad) == 0)
criticalError(LA_AD_REMOVED_CAPTION,formatString(LA_AD_REMOVED_CONTENT,array("http://$url")));
$sitetitle = $row_from_ad["ad_title"];
$ad_description = $row_from_ad["ad_description"];
$userid = $row_from_ad["user_id"];
$ad_date = $row_from_ad["ad_date"];
$ad_views = $row_from_ad["ad_views"];
$ad_votes = $row_from_ad["ad_votes"];
$ad_voters = $row_from_ad["ad_voters"];
$ad_totalscore = $row_from_ad["ad_totalscore"];
$votes = $row_from_ad["user_votes"];
$voters = $row_from_ad["user_voters"];
$name = $row_from_ad["user_name"];
$email = $row_from_ad["user_email"];
$catname = $row_from_ad["cat_name"];
$catid = $row_from_ad["cat_id"];
$vendor_url = $row_from_ad["user_vendor_url"];
$vendor_homepage = $row_from_ad["user_vendor_homepage"];
$sold = $row_from_ad["ad_is_sold"];
$cattpl = $row_from_ad["cat_tpl"];
$datestamp = $row_from_ad["ad_date"];
$ad_has_picture = $row_from_ad["ad_has_picture"];
$is_vendor = $row_from_ad["user_is_vendor"];
$hide_email = $row_from_ad["user_hide_email"];
$img_stored = $row_from_ad["img_stored"];
$user_id = $row_from_ad["user_id"];
$expire_days = $row_from_ad["ad_expires_after_days"];
$ad_expires=formatDateShort($row_from_ad["ad_date_expire"]);
$timestamp_expire_date=$row_from_ad["ad_date_expire"];
$ad_added=formatDateShort($row_from_ad["ad_date"]);
$pagename= $sitename . " - " . $sitetitle;
$meta_desc=htmlspecialchars(dotString($ad_description,150));
if (empty($lPrint))
include_once("header_inc.php");
else
{
include ($full_path_to_public_program . "/admin/classes/TplLoad.php");
echo "<script language='javascript'>window.print()</script>";
echo "<p><a href='detail.php?id=$ad_id'><h2>$la_p</h2></a></p>";
}
$tplDetail=new TplLoad;
$tplDetail->assign("isLoggedIn",$_SESSION["valid_user"]);
$tplDetail->assign("set_outer_color",$set_outer_color);
$tplDetail->assign("set_inner_color",$set_inner_color);
$tplDetail->assign("set_descr_color",$set_descr_color);
$tplDetail->assign("set_descr_cell",$set_descr_cell);
$tplDetail->assign("id_ad","$ad_id");
$tplDetail->assign("ad_id","$ad_id");
$tplDetail->assign("ad_title","$sitetitle");
$tplDetail->assign("ad_added","$ad_added");
$tplDetail->assign("ad_hits","$ad_views");
$tplDetail->assign("ad_expire","$ad_expires");
$tplDetail->assign("ad_catid","$catid");
$tplDetail->assign("ad_username","$name");
$tplDetail->assign("ad_email","$email");
$tplDetail->assign("banner","$lBanner");
if ($set_nl2br)
$ad_description=nl2br($ad_description);
$tplDetail->assign("ad_description","$ad_description");
$tplDetail->assign("user_id","$user_id");
$tplDetail->assign("num_days",getHowManyDaysRemains($timestamp_expire_date,time()));
$tplDetail->assign("LA_REMOVE_FAV",urldecode(LA_REMOVE_FAV));
$tplDetail->assign("LA_ADD_FAV",urldecode(LA_ADD_FAV));
$tplDetail->assign("set_image_program",$set_image_program);
// Print out linked title
writeLinkedTitle(getCategoryId($ad_id));
if ($set_detail_login_need==1)
check_valid_user("");
if ($hide_email==1)
$tplDetail->assign("hide_email",1);
else
$tplDetail->assign("email","$email");
// Member Rating
if ($set_vote_on_member)
$tplDetail->assign("rate_member",$set_vote_on_member);
if ($set_ratemem_login_need)
$tplDetail->assign("rate_member_requires_login","$set_ratemem_login_need");
if ($voters > 0)
$votes = round($votes/$voters, 1);
else {
$votes=0;
$voters=0;
}
$tplDetail->assign("sold","$sold");
$tplDetail->assign("ad_member_votes","$votes");
$tplDetail->assign("ad_member_voters","$voters");
// Ad Rating
if ($set_rate)
$tplDetail->assign("rate_ad","$set_rate");
if ($set_rate_ad_require_member)
$tplDetail->assign("rate_ad_requires_login","$set_rate_ad_require_member");
// Get image rating
$lStr=getStarRating($ad_totalscore);
$tplDetail->assign("ad_vote_img_result","$lStr");
$tplDetail->assign("ad_ad_votes","$ad_votes");
$tplDetail->assign("ad_ad_voters","$ad_voters");
$tplDetail->assign("ad_totalscore","$ad_totalscore");
// Code for prev next result
if ($sold == 1)
$tplDetail->assign("isSold",1);
if ($vendor_url AND $set_vendor AND $is_vendor)
$tplDetail->assign("vendor","<a href='$vendor_homepage' target='new'><img src='$vendor_url' border='0'></a>");
$sql_prevad_id = "select ad_id from $ads_tbl, $cat_tbl, $usr_tbl where cat_id=ad_cat_id AND ad_owner=user_id AND ad_id < $ad_id AND cat_id = $catid $val_string order by ad_id desc limit 1";
$result_prevad_id = q($sql_prevad_id);
$row_prev = mysql_fetch_array($result_prevad_id);
$prevad_id = $row_prev["ad_id"];
$sql_nextad_id = "select ad_id from $ads_tbl, $cat_tbl, $usr_tbl where cat_id=ad_cat_id AND ad_owner=user_id AND ad_id > $ad_id AND cat_id = $catid $val_string order by ad_id asc limit 1";
$result_nextad_id = q($sql_nextad_id);
$row_next = mysql_fetch_array($result_nextad_id);
$nextad_id = $row_next["ad_id"];
// PREV NEXT AD
if ($prevad_id)
{
$str_nav.="<a href='detail.php?id=$prevad_id&catid=$catid'>";
$str_nav.="<img src='layout_images/arrow-back.gif' border='0' alt='' /> ".LA_P."</a>";
$tplDetail->assign("prev_link","detail.php?id=$prevad_id&catid=$catid");
}
$str_nav.=" ";
if ($nextad_id)
{
$str_nav.="<a href='detail.php?id=$nextad_id&catid=$catid'>";
$str_nav.=LA_N . " <img src='layout_images/arrow-forw.gif' border='0' alt='' /></a>";
$tplDetail->assign("next_link","detail.php?id=$nextad_id&catid=$catid");
}
$tplDetail->assign("navigation","$str_nav");
if (getParam("contact",""))
include "contact.php";
if (getParam("tellafriend",""))
include "tellafriend.php";
//print_r($row_from_ad);
$lQuestions=getDbValuesBasedOnQuestions($cattpl,1,$row_from_ad,$set_seperator);
$tplDetail->assign("ads",$lQuestions[$ad_id]);
$lQuestions=getDbValuesBasedOnQuestions($cattpl,2,$row_from_ad,$set_seperator);
$tplDetail->assign("users",$lQuestions[$ad_id]);
if ($set_favourites AND isset($_SESSION["valid_user"]))
{
$sql = "select fid from $fav_tbl where f_adid=$ad_id AND f_user_id = ".$_SESSION["valid_user"];
$r = mysql_query($sql);
$number = mysql_num_rows($r);
if ($number)
$tplDetail->assign("fav_remove_link",1);
else
$tplDetail->assign("fav_add_link",1);
}
$query = "select * from $vid_tbl where video_adid=$ad_id";
$sql_result = q($query);
while ($row=mysql_fetch_array($sql_result))
{
$id = $row["video_id"];
$filename_stored = $row["video_file"];
$array = split("\.",$filename_stored);
$last=count($array)-1;
$ext=$array[$last];
$videoArray[$i]["file"]=$filename_stored;
$videoArray[$i]["id"]=$id;
$videoArray[$i]["ext"]=strtolower($ext);
$i++;
}
$tplDetail->assign("video_list",$videoArray);
$query = "select * from $doc_tbl where f_adid=$ad_id order by f_id desc";
$sql_result_doc = q ($query);
$i=0;
while ($row=mysql_fetch_array($sql_result_doc))
{
$id = $row["f_id"];
$filetype = $row["filetype"];
$filename = $row["f_file"];
$fArray[$i]["id"] = $id;
$fArray[$i]["name"] = $filename;
$lSize=filesize("images/docs/" . $filename);
$fArray[$i]["size"] = round($lSize/1024);
$lDisplay=ereg_replace($ad_id . "_","",$filename);
$fArray[$i]["display_name"] = $lDisplay;
$lExtArray=split("\.",$filename);
$lExt=end($lExtArray);
$fArray[$i]["ext"] = strtolower($lExt);
$i++;
}
$tplDetail->assign("doc_list", $fArray);
$query = "select id,filename from $pic_tbl where pic_ad_id=$ad_id";
$sql_result = q($query);
$num_ad_has_pictures = mysql_num_rows($sql_result);
for ($i=0; $i<$num_ad_has_pictures; $i++)
{
$row = mysql_fetch_array($sql_result);
$id = $row["id"];
$filename_stored = $row["filename"];
if ($set_image_program==0)
{
$lSizeArray=setImageSize($filename_stored,getManualSize("small"),0);
$imgArray[$i]["w"]=$lSizeArray[0];
$imgArray[$i]["h"]=$lSizeArray[1];
}
else
$filename_stored=ereg_replace("tmb2","tmb1",$filename_stored);
$imgArray[$i]["file"]=$filename_stored;
$imgArray[$i]["id"]=$id;
$imgArray[$i]["nr"]=$i;
}
if ($set_image_program==0)
$tplDetail->assign("image_max",getManualSize("small"));
$tplDetail->assign("image_list",$imgArray);
$tplDetail->assign("set_slideshow",$set_slideShow);
$tplDetail->assign("set_slideShow_sec",$set_slideShow_sec*1000);
$tplDetail->assign("set_slideShow_count_from",$set_slideShow_sec);
$tplDetail->assign("num_pictures",$num_ad_has_pictures);
$tplDetail->assign("show_still",getParam("show_still",""));
$s = "UPDATE $ads_tbl set ad_views=ad_views+1 where ad_id=$ad_id";
$result1=q($s);
$tplDetail->display("detail.tpl");
if (empty($lPrint))
include_once("footer_inc.php");
else
echo formatString("<center>".LA_PRINT_CLEAN."</center>", array(formatDate(date("Ymd")),date("H:m"),"http://$url/detail.php?id=$ad_id"));
?>
