New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
版本通杀无条件登陆任意用户 #23
Comments
|
application/tags.php |
|
v1.6.0修复了,没这个问题了 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment







APPLICATION、$params['user_id']可以被用户控制,存在变量覆盖问题。






利用修改头像接口
1、添加参数application=app跟参数user_id,导致$params['user_id']用户id变成用户指定id
2、进入UserLoginRecord方法,这里好像没啥问题
3、进入UserAvatarUpload方法,这里完成图片上传后又调用了UserLoginRecord方法
4、再进入UserLoginRecord方法。因为这次调用没有指定$is_app,默认为false
这就导致了最终结果变成当前session存储的用户变成用户指定的任意用户id,并且这个id是一个可以猜测的简单数字
5、最终效果
The text was updated successfully, but these errors were encountered: