phpok icon indicating copy to clipboard operation
phpok copied to clipboard
verified publisher icon qinggan

PHPOK5.4 has sensitive information disclosure and sql injection

Open LuckyC4t opened this issue 6 years ago • 1 comments

in framework/phpok_call.php, the function _userlist has a sql injection image in some reasons, we can controll the value of variable $rs, so we can splice evil sql query image image you can see, it also include sensitive information

LuckyC4t avatar Dec 02 '19 14:12 LuckyC4t

it also has in the function _arclist_single image image so we can splice evil sql query. but we should make if($rs['fields_need']) alway false image image

LuckyC4t avatar Dec 02 '19 14:12 LuckyC4t