Possible SQLI and XSS vulnerabilities

[enferas]

Hello,

I would like to report for possible vulnerabilities.

In file functions.php https://github.com/yuantuo666/baiduwp-php/blob/master/functions.php, line 222

$url = 'https://pan.baidu.com/api/sharedownload?app_id=' . $app_id . '&channel=chunlei&clienttype=12&sign=' . $sign . '&timestamp=' . $timestamp . '&web=1';

all the variables are controlled by the user. For example, In file index.php https://github.com/yuantuo666/baiduwp-php/blob/master/index.php, line 335

$fs_id = $_POST["fs_id"];
$timestamp = $_POST["time"];
$sign = $_POST["sign"];

Then the url will pass to curl_exec in line 47 in file functions.php

$result = curl_exec($ch);

The result will be passed to the DB (Possible SQLI).
Like the line 394 in index.php

$sql = "SELECT * FROM `$dbtable` WHERE `md5`='$md5' AND `ptime` > DATE_SUB(NOW(),INTERVAL $DownloadLinkAvailableTime HOUR);";

Or will be printed (Possible XSS).

If the attacker can control the output of the curled website then he will be able to pass some queries to the DB.

I will recommend to sanitize the output of the $result in functions post and get in functions.php

[yuantuo666]

This project is mainly rely on pan.baidu.com, which will never be hacked. Only the data are valid will it be stored.
Anyway, thanks for your suggestion.

[lc6464]

@yuantuo666 我觉得这个项目的数据库部分真得修一修。
等你高考完看看 PDO 吧。

[Redem6ti0n]

look this #193 (comment)