2012-05-05: 细节已通知厂商并且等待厂商处理中 2012-05-05: 厂商已经确认,细节仅向厂商公开 2012-05-15: 细节向核心白帽子及相关领域专家公开 2012-05-25: 细节向普通白帽子公开 2012-06-04: 细节向实习白帽子公开 2012-06-19: 细节向公众公开
新浪分站部分源代码泄露,可进一步利用
新浪分站部分源代码泄露,可进一步利用. 昨天送的礼物全被抢了,再求礼物.谢谢
http://eladies.sina.com.tw/getnews.php~
<?php //********************************************************** // include_once "./include/define.php"; if(!defined("NO_LOGIN_HANDLE_METHOD")){ define("NO_LOGIN_HANDLE_METHOD", NO_LOGIN_CONTINUE);} include_once DEFAULT_DOC_ROOT."/include/smarty.php"; include_once DEFAULT_DOC_ROOT."/common/initialize.php"; include_once DEFAULT_DOC_ROOT."/util/network.php"; include_once DEFAULT_DOC_ROOT."/util/str_process.php"; include_once DEFAULT_DOC_ROOT."/include/eladies.php"; /* process ... */ $op = Request_Param("op","","request"); $smarty = new Template; $smarty->assign('WWW_ROOT',DEFAULT_WWW_ROOT); $smarty->assign('DEFAULT_DOC_ROOT',DEFAULT_DOC_ROOT); $smarty->assign('WWW_ROOT_IMAGES',WWW_ROOT_IMAGE); $smarty->assign('WWW_ROOT_CSS',WWW_ROOT_CSS); $smarty->assign('WWW_ROOT_JS',WWW_ROOT_JS); $smarty->assign('UPDATE_IMAES',UPDATE_IMAES); $smarty->assign('INCLUDE_TMPL_ROOT',INCLUDE_TMPL_ROOT); $smarty->assign('CRON_INDEX_TMPL',CRON_INDEX_TMPL); $smarty->assign('WWW_EXTRATMPL_ROOT',DEFAULT_WWW_ROOT."/templates/extratmpl"); if( !empty( $MemberInfo ) && isset($MemberInfo["NickName"])){ $smarty->assign('USER_NAME', $MemberInfo["NickName"] ); } $connect = mysql_connect(ELADIES_WDB_HOST,ELADIES_WDB_USER,ELADIES_WDB_PASS) or die("資料庫連線錯誤,請聯絡管理員"); mysql_select_db(ELADIES_WDB_NAME,$connect); // //********************************************************** include_once "./include/define.php"; if(!defined("NO_LOGIN_HANDLE_METHOD")){ define("NO_LOGIN_HANDLE_METHOD", NO_LOGIN_CONTINUE); } include_once DEFAULT_DOC_ROOT."/include/smarty.php"; include_once DEFAULT_DOC_ROOT."/common/initialize.php"; include_once DEFAULT_DOC_ROOT."/util/network.php"; include_once DEFAULT_DOC_ROOT."/include/eladies.php"; include_once DEFAULT_DOC_ROOT."/include/dict.php"; $id = Request_Param("newsid","","request"); if( intval($id) <= 0 ){ header("Location:http://eladies.sina.com.tw"); } $eladies = new Eladies(); $news = $eladies->getPubNewsById( $id ); if( !$news || empty($news) || $news['content'] == "" || $news['title'] == ""){ header("Location:http://eladies.sina.com.tw"); }else{ if( !$eladies->updateNewsClick( $news['newsid'])){ header("Location:http://eladies.sina.com.tw"); } } $keywords = $news['keywords']; $conn_news = $eladies->getConnNews($id, $keywords , 8 , $news['video_count'] , $news['category']); $category = $eladies->getCategory( $news['category']); $tpl_layout_name = "article.shtml"; $onevision_ad_config = 0; $change_video_type = 0; $_common_js_clickrecord = 'news'; $news_shcont_ = mb_substr(trim(strip_tags($news['content'])),0,35,"UTF-8")." ... "; if( intval($news['video_count']) == 1 && $news['source'] == "tw"){ //only process tw $video = $eladies->getVideoByNewsid( $news['id'] , $news['source'] ); $onevision_ad_config = $eladies->getOptionFunction_Onevision( 'onevision-ad-config' ); $tpl_layout_name = "article_video.shtml"; //video tmpl if(isset($news['onevision_url']) && $onevision_ad_config['advertising_config'] == 1 ) { //only for onevision $change_video_type = 1; } $_common_js_clickrecord = 'video'; }elseif( intval($news['media_count']) == 1 && $news['layout'] == "11" ){ $newsid = intval( $news['newsid']); $images = $eladies->getImageByNewsid( $newsid , $news['source']); $tpl_layout_name = "article_photo.shtml"; //laypout by one images tmpl }elseif( intval($news['media_count']) > 1 ){ $newsid = intval( $news['newsid']); $img_album_id = $newsid; $images = $eladies->getImageByNewsid( $newsid ,$news['source']); if( !empty($images) && count($images) > 1 && file_exists(DEFAULT_DOC_ROOT."/images/flash/newsPhoto/".$newsid."_list.xml")){ $tpl_layout_name = "article_photo02.shtml"; //imgnum > 1 tmpl }elseif( count($images) == 1 && $news['layout'] == "11" ){ $tpl_layout_name = "article_photo.shtml"; }else{ $tpl_layout_name = "article.shtml"; } } $authorid = intval( $news['author']); $author = $eladies->getAuthor( $authorid); $smarty = new Template; $smarty->assign('news',$news); $smarty->assign('author',$author); $smarty->assign('category',$category); $smarty->assign('share_title_content',$news_shcont_); $smarty->assign('onevision_ad_config',$onevision_ad_config); $smarty->assign('change_video_type',$change_video_type); $smarty->assign('WWW_ROOT',DEFAULT_WWW_ROOT); $smarty->assign('DEFAULT_DOC_ROOT',DEFAULT_DOC_ROOT); $smarty->assign('WWW_ROOT_IMAGES',WWW_ROOT_IMAGE); $smarty->assign('WWW_ROOT_CSS',WWW_ROOT_CSS); $smarty->assign('WWW_ROOT_JS',WWW_ROOT_JS); $smarty->assign('UPDATE_IMAES',UPDATE_IMAES); $smarty->assign('INCLUDE_TMPL_ROOT',INCLUDE_TMPL_ROOT); $smarty->assign('CRON_INDEX_TMPL',CRON_INDEX_TMPL); $smarty->assign('WWW_EXTRATMPL_ROOT',DEFAULT_WWW_ROOT."/templates/extratmpl"); $patten = "/<img.*?src\s*=\s*[\"|\']?\s*([^>\"\'\s\[]*)/i"; if( preg_match( $patten , $news['content'])){ $smarty->assign('CONTENT_IMG',"yes"); }else{ $smarty->assign('CONTENT_IMG',""); } if( $images && !empty($images) ){ $smarty->assign('first_image',$images['info'][0]['photo_image1']); if( intval($news['media_count']) == 1 ){ $smarty->assign('first_image',$images['info'][0]['photo_image1']); }else{ //> 1 $smarty->assign('img_album_id',$img_album_id); } } if( !empty( $MemberInfo ) && isset($MemberInfo["NickName"])){ $smarty->assign('USER_NAME', $MemberInfo["NickName"] );} $catid = intval($category['id']); $topidinfo = $eladies->getCategory( $category['topid'] ); if( $catid == "1" || $catid == "2055" ){ $smarty->display("todaynews/$tpl_layout_name"); exit; }elseif( $topidinfo && isset($topidinfo['id']) && $topidinfo['id'] != "1"){ $topid = intval( $topidinfo['id'] ); if( $topid == "107" ){ $toptmpl = $tmpl_access[100]['subsection'][107]['twname']; $path = "<a href=\"/fashion/brands/list.shtml\">".$toptmpl."</a>"; $catinfo = $eladies->getCategory( $catid ); $tmpl = $catinfo['cname']; $path.= " > <a href=\"get_tmpl.php?op=list&tpldir=fashion&secdir=brands&catid=".$catid."\">".$catinfo['cname']."</a>"; $tmplname = "fashion/$tpl_layout_name"; }elseif( $topid == "357"){ $toptmpl = $tmpl_access[101]['subsection'][357]['twname']; $path = "<a href=\"/beauty/brands/list.shtml\">".$toptmpl."</a>"; $catinfo = $eladies->getCategory( $catid ); $tmpl = $catinfo['cname']; $path.= " > <a href=\"get_tmpl.php?op=list&tpldir=beauty&secdir=brands&catid=".$catid."\">".$catinfo['cname']."</a>"; $tmplname = "beauty/$tpl_layout_name"; }else{ $toptmpl = $tmpl_access[$topid]['cname']; $path = "<a href=\"index.php?op=".$tmpl_access[$topid]['cname']."\">".$tmpl_access[$topid]['twname']."</a>"; $tmpl = $tmpl_access[$topid]['subsection'][$catid]['cname']; $tmplname = $toptmpl."/$tpl_layout_name"; $path.= " > <a href=\"get_tmpl.php?op=list&tpldir=".$tmpl_access[$topid]['cname']."&secdir=".$tmpl_access[$topid]['subsection'][$catid]['cname']."\">".$tmpl_access[$topid]['subsection'][$catid]['twname']."</a>"; } }else{ $tmpl = $tmpl_access[$catid]['cname']; $tmplname = $tmpl."/$tpl_layout_name"; $path = "<a href=\"index.php?op=".$tmpl_access[$catid]['cname']."\">".$tmpl_access[$catid]['twcname']."</a>"; } if( !$tmpl ){ $path = ""; $tmplname = "todaynews/$tpl_layout_name"; } $smarty->assign("pathname",$path); //add click record function //$smarty->assign('_common_js_clickrecord',$_common_js_clickrecord); //start 1.0 buy.sina.com.tw $HTTP_USER_AGENT=$_SERVER['HTTP_USER_AGENT']; if( eregi("BOT",strtoupper($HTTP_USER_AGENT)) || eregi("YAHOO",strtoupper($HTTP_USER_AGENT)) || eregi("GOOGLE",strtoupper($HTTP_USER_AGENT))){ $b_newsid = intval( $news['id']); if($b_newsid=="22700" || $b_newsid=="22688" || $b_newsid=="22615"){ $smarty->assign('BUY_REQ_USER_AGENT',"1"); } } //end 1.0 buy.sina.com.tw if( $conn_news && !empty($conn_news )){ foreach( $conn_news as $key => $val ){ $conn_news[$key]['title'] = cut_str(strip_tags($val['title']),15,null); } $smarty->assign('conn_news',$conn_news); }else{ $smarty->assign('conn_news',""); } //************************************************************************************* // $specialid = intval(trim($_GET['special'])) ? intval(trim($_GET['special'])) : 0; if($specialid){ $sql = "select title from feature where type = '0' and id = '$specialid'"; $query = mysql_query($sql); $result = mysql_fetch_row($query); $title = $result[0]; $smarty->assign('specialID',$specialid); $smarty->assign('title',$title); $sql = "select href,image,cshow from feature where type = '1' and ztype = '$specialid'"; $query = mysql_query($sql); $result = mysql_fetch_row($query); list($bannerHref,$bannerImage,$bannerCshow) = $result; $smarty->assign('hasBanner',$bannerCshow); $smarty->assign('bannerHref',$bannerHref); $smarty->assign('bannerImage',$bannerImage); $smarty->assign('special',1); } if($specialid){ if(strpos($tmplname,'video')){ $sql = "select content,title from feature where type = '4' and ztype = '$specialid'"; $query = mysql_query($sql); while($result = mysql_fetch_row($query)){ if($result[0] == $id){ $about .= '<option selected>'.$result[1].'</option>'; }else { $about .= '<option value="./pre_news.php?id='.$result[0].'&special='.$specialid.'">'.$result[1].'</option>'; } } $smarty->assign('about',$about); }else{ $sql = "select ctype from feature where sort='$id'"; $query = mysql_query($sql); $result = mysql_fetch_row($query); $zflID = $result[0]; $sql = "select sort,title from feature where type = '3' and ctype = '$zflID'"; $query = mysql_query($sql); while($result = mysql_fetch_row($query)){ if($result[0] == $id){ $about .= '<option selected>'.$result[1].'</option>'; } else { $about .= '<option value="./pre_news.php?id='.$result[0].'&special='.$specialid.'">'.$result[1].'</option>'; } } $smarty->assign('about',$about); } $sql = "select sort,title,image from feature where type = '3' and ctype = '$zflID' and sort != '$id' limit 8"; $query = mysql_query($sql); while($result = mysql_fetch_row($query)){ list($tmp['id'],$tmp['title'],$tmp['image']) = $result; if(!$tmp['image']){ $tmp['image'] = 'http://eladies.sina.com.tw/images/dummy.gif'; } $righ[] = $tmp; unset($tmp); } $smarty->assign('righ',$righ); } //echo $tmplname;exit; if($specialid){ $nd_tmpl = explode('/',$tmplname); $tmplname = 'fashion/'.$nd_tmpl[1]; } // //************************************************************************************* debug_log('tmplname:'.$tmplname .' ==== _common_js_clickrecord is ====' . $_common_js_clickrecord); $eladies->replaceClickRecord($news['id'],$_common_js_clickrecord=='news'?0:1); // $smarty->display($tmplname); function debug_log($str) { if($fd = @fopen("/home/archive/logs/debug_result.txt", "a")) { fputs($fd, $str . "\n\r"); fclose($fd); } } ?>
你们比我专业,你们懂的
危害等级:低
漏洞Rank:5
确认时间:2012-05-05 12:39
感谢提供!
暂无
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
不知道这个漏洞拿到礼物没
登录后才能发表评论,请先 登录 。
