ibos OA v4.5.5 SQL Injection vulnerability
Project download address:https://gitee.com/ibos/IBOS
There is a vulnerability route:file/personal/del&op=recycle
Vulnerability parameters exist:filds
1.Function point: file cabinet delete folder
- Source code analysis
Receive the fids parameter and process the incoming fids through the fetchAllByFids() method under the model
The SQL statement is encapsulated in the fetchAllByFids() method, and queryAll() executes the SQL statement to cause the SQL injection
This will call the YII framework with an error.