2012-05-05: 细节已通知厂商并且等待厂商处理中 2012-05-05: 厂商已经确认,细节仅向厂商公开 2012-05-15: 细节向核心白帽子及相关领域专家公开 2012-05-25: 细节向普通白帽子公开 2012-06-04: 细节向实习白帽子公开 2012-06-19: 细节向公众公开
新浪分站部分源代码泄露,可进一步利用
新浪分站部分源代码泄露,可进一步利用.昨天送的礼物全被抢了,再求礼物.谢谢
http://eladies.sina.com.tw/getnews.php~
<?php//**********************************************************// include_once "./include/define.php";if(!defined("NO_LOGIN_HANDLE_METHOD")){ define("NO_LOGIN_HANDLE_METHOD", NO_LOGIN_CONTINUE);}include_once DEFAULT_DOC_ROOT."/include/smarty.php";include_once DEFAULT_DOC_ROOT."/common/initialize.php";include_once DEFAULT_DOC_ROOT."/util/network.php";include_once DEFAULT_DOC_ROOT."/util/str_process.php";include_once DEFAULT_DOC_ROOT."/include/eladies.php";/*process ...*/$op = Request_Param("op","","request");$smarty = new Template;$smarty->assign('WWW_ROOT',DEFAULT_WWW_ROOT);$smarty->assign('DEFAULT_DOC_ROOT',DEFAULT_DOC_ROOT);$smarty->assign('WWW_ROOT_IMAGES',WWW_ROOT_IMAGE);$smarty->assign('WWW_ROOT_CSS',WWW_ROOT_CSS);$smarty->assign('WWW_ROOT_JS',WWW_ROOT_JS);$smarty->assign('UPDATE_IMAES',UPDATE_IMAES);$smarty->assign('INCLUDE_TMPL_ROOT',INCLUDE_TMPL_ROOT);$smarty->assign('CRON_INDEX_TMPL',CRON_INDEX_TMPL);$smarty->assign('WWW_EXTRATMPL_ROOT',DEFAULT_WWW_ROOT."/templates/extratmpl");if( !empty( $MemberInfo ) && isset($MemberInfo["NickName"])){ $smarty->assign('USER_NAME', $MemberInfo["NickName"] );}$connect = mysql_connect(ELADIES_WDB_HOST,ELADIES_WDB_USER,ELADIES_WDB_PASS) or die("資料庫連線錯誤,請聯絡管理員");mysql_select_db(ELADIES_WDB_NAME,$connect);////**********************************************************include_once "./include/define.php";if(!defined("NO_LOGIN_HANDLE_METHOD")){ define("NO_LOGIN_HANDLE_METHOD", NO_LOGIN_CONTINUE);}include_once DEFAULT_DOC_ROOT."/include/smarty.php";include_once DEFAULT_DOC_ROOT."/common/initialize.php";include_once DEFAULT_DOC_ROOT."/util/network.php";include_once DEFAULT_DOC_ROOT."/include/eladies.php";include_once DEFAULT_DOC_ROOT."/include/dict.php";$id = Request_Param("newsid","","request");if( intval($id) <= 0 ){ header("Location:http://eladies.sina.com.tw");}$eladies = new Eladies();$news = $eladies->getPubNewsById( $id );if( !$news || empty($news) || $news['content'] == "" || $news['title'] == ""){ header("Location:http://eladies.sina.com.tw");}else{ if( !$eladies->updateNewsClick( $news['newsid'])){ header("Location:http://eladies.sina.com.tw"); }}$keywords = $news['keywords'];$conn_news = $eladies->getConnNews($id, $keywords , 8 , $news['video_count'] , $news['category']);$category = $eladies->getCategory( $news['category']);$tpl_layout_name = "article.shtml";$onevision_ad_config = 0;$change_video_type = 0;$_common_js_clickrecord = 'news';$news_shcont_ = mb_substr(trim(strip_tags($news['content'])),0,35,"UTF-8")." ... "; if( intval($news['video_count']) == 1 && $news['source'] == "tw"){ //only process tw $video = $eladies->getVideoByNewsid( $news['id'] , $news['source'] ); $onevision_ad_config = $eladies->getOptionFunction_Onevision( 'onevision-ad-config' ); $tpl_layout_name = "article_video.shtml"; //video tmpl if(isset($news['onevision_url']) && $onevision_ad_config['advertising_config'] == 1 ) { //only for onevision $change_video_type = 1; } $_common_js_clickrecord = 'video'; }elseif( intval($news['media_count']) == 1 && $news['layout'] == "11" ){ $newsid = intval( $news['newsid']); $images = $eladies->getImageByNewsid( $newsid , $news['source']); $tpl_layout_name = "article_photo.shtml"; //laypout by one images tmpl }elseif( intval($news['media_count']) > 1 ){ $newsid = intval( $news['newsid']); $img_album_id = $newsid; $images = $eladies->getImageByNewsid( $newsid ,$news['source']); if( !empty($images) && count($images) > 1 && file_exists(DEFAULT_DOC_ROOT."/images/flash/newsPhoto/".$newsid."_list.xml")){ $tpl_layout_name = "article_photo02.shtml"; //imgnum > 1 tmpl }elseif( count($images) == 1 && $news['layout'] == "11" ){ $tpl_layout_name = "article_photo.shtml"; }else{ $tpl_layout_name = "article.shtml"; } }$authorid = intval( $news['author']);$author = $eladies->getAuthor( $authorid);$smarty = new Template;$smarty->assign('news',$news);$smarty->assign('author',$author);$smarty->assign('category',$category);$smarty->assign('share_title_content',$news_shcont_);$smarty->assign('onevision_ad_config',$onevision_ad_config);$smarty->assign('change_video_type',$change_video_type);$smarty->assign('WWW_ROOT',DEFAULT_WWW_ROOT);$smarty->assign('DEFAULT_DOC_ROOT',DEFAULT_DOC_ROOT);$smarty->assign('WWW_ROOT_IMAGES',WWW_ROOT_IMAGE);$smarty->assign('WWW_ROOT_CSS',WWW_ROOT_CSS);$smarty->assign('WWW_ROOT_JS',WWW_ROOT_JS);$smarty->assign('UPDATE_IMAES',UPDATE_IMAES);$smarty->assign('INCLUDE_TMPL_ROOT',INCLUDE_TMPL_ROOT);$smarty->assign('CRON_INDEX_TMPL',CRON_INDEX_TMPL);$smarty->assign('WWW_EXTRATMPL_ROOT',DEFAULT_WWW_ROOT."/templates/extratmpl");$patten = "/<img.*?src\s*=\s*[\"|\']?\s*([^>\"\'\s\[]*)/i";if( preg_match( $patten , $news['content'])){ $smarty->assign('CONTENT_IMG',"yes");}else{ $smarty->assign('CONTENT_IMG',"");}if( $images && !empty($images) ){ $smarty->assign('first_image',$images['info'][0]['photo_image1']); if( intval($news['media_count']) == 1 ){ $smarty->assign('first_image',$images['info'][0]['photo_image1']); }else{ //> 1 $smarty->assign('img_album_id',$img_album_id); }}if( !empty( $MemberInfo ) && isset($MemberInfo["NickName"])){ $smarty->assign('USER_NAME', $MemberInfo["NickName"] );}$catid = intval($category['id']);$topidinfo = $eladies->getCategory( $category['topid'] );if( $catid == "1" || $catid == "2055" ){ $smarty->display("todaynews/$tpl_layout_name"); exit;}elseif( $topidinfo && isset($topidinfo['id']) && $topidinfo['id'] != "1"){ $topid = intval( $topidinfo['id'] ); if( $topid == "107" ){ $toptmpl = $tmpl_access[100]['subsection'][107]['twname']; $path = "<a href=\"/fashion/brands/list.shtml\">".$toptmpl."</a>"; $catinfo = $eladies->getCategory( $catid ); $tmpl = $catinfo['cname']; $path.= " > <a href=\"get_tmpl.php?op=list&tpldir=fashion&secdir=brands&catid=".$catid."\">".$catinfo['cname']."</a>"; $tmplname = "fashion/$tpl_layout_name"; }elseif( $topid == "357"){ $toptmpl = $tmpl_access[101]['subsection'][357]['twname']; $path = "<a href=\"/beauty/brands/list.shtml\">".$toptmpl."</a>"; $catinfo = $eladies->getCategory( $catid ); $tmpl = $catinfo['cname']; $path.= " > <a href=\"get_tmpl.php?op=list&tpldir=beauty&secdir=brands&catid=".$catid."\">".$catinfo['cname']."</a>"; $tmplname = "beauty/$tpl_layout_name"; }else{ $toptmpl = $tmpl_access[$topid]['cname']; $path = "<a href=\"index.php?op=".$tmpl_access[$topid]['cname']."\">".$tmpl_access[$topid]['twname']."</a>"; $tmpl = $tmpl_access[$topid]['subsection'][$catid]['cname']; $tmplname = $toptmpl."/$tpl_layout_name"; $path.= " > <a href=\"get_tmpl.php?op=list&tpldir=".$tmpl_access[$topid]['cname']."&secdir=".$tmpl_access[$topid]['subsection'][$catid]['cname']."\">".$tmpl_access[$topid]['subsection'][$catid]['twname']."</a>"; }}else{ $tmpl = $tmpl_access[$catid]['cname']; $tmplname = $tmpl."/$tpl_layout_name"; $path = "<a href=\"index.php?op=".$tmpl_access[$catid]['cname']."\">".$tmpl_access[$catid]['twcname']."</a>";}if( !$tmpl ){ $path = ""; $tmplname = "todaynews/$tpl_layout_name";}$smarty->assign("pathname",$path);//add click record function //$smarty->assign('_common_js_clickrecord',$_common_js_clickrecord);//start 1.0 buy.sina.com.tw$HTTP_USER_AGENT=$_SERVER['HTTP_USER_AGENT'];if( eregi("BOT",strtoupper($HTTP_USER_AGENT)) || eregi("YAHOO",strtoupper($HTTP_USER_AGENT)) || eregi("GOOGLE",strtoupper($HTTP_USER_AGENT))){ $b_newsid = intval( $news['id']); if($b_newsid=="22700" || $b_newsid=="22688" || $b_newsid=="22615"){ $smarty->assign('BUY_REQ_USER_AGENT',"1"); } } //end 1.0 buy.sina.com.twif( $conn_news && !empty($conn_news )){ foreach( $conn_news as $key => $val ){ $conn_news[$key]['title'] = cut_str(strip_tags($val['title']),15,null); } $smarty->assign('conn_news',$conn_news);}else{ $smarty->assign('conn_news',"");}//*************************************************************************************//$specialid = intval(trim($_GET['special'])) ? intval(trim($_GET['special'])) : 0;if($specialid){ $sql = "select title from feature where type = '0' and id = '$specialid'"; $query = mysql_query($sql); $result = mysql_fetch_row($query); $title = $result[0]; $smarty->assign('specialID',$specialid); $smarty->assign('title',$title); $sql = "select href,image,cshow from feature where type = '1' and ztype = '$specialid'"; $query = mysql_query($sql); $result = mysql_fetch_row($query); list($bannerHref,$bannerImage,$bannerCshow) = $result; $smarty->assign('hasBanner',$bannerCshow); $smarty->assign('bannerHref',$bannerHref); $smarty->assign('bannerImage',$bannerImage); $smarty->assign('special',1);}if($specialid){ if(strpos($tmplname,'video')){ $sql = "select content,title from feature where type = '4' and ztype = '$specialid'"; $query = mysql_query($sql); while($result = mysql_fetch_row($query)){ if($result[0] == $id){ $about .= '<option selected>'.$result[1].'</option>'; }else { $about .= '<option value="./pre_news.php?id='.$result[0].'&special='.$specialid.'">'.$result[1].'</option>'; } } $smarty->assign('about',$about); }else{ $sql = "select ctype from feature where sort='$id'"; $query = mysql_query($sql); $result = mysql_fetch_row($query); $zflID = $result[0]; $sql = "select sort,title from feature where type = '3' and ctype = '$zflID'"; $query = mysql_query($sql); while($result = mysql_fetch_row($query)){ if($result[0] == $id){ $about .= '<option selected>'.$result[1].'</option>'; } else { $about .= '<option value="./pre_news.php?id='.$result[0].'&special='.$specialid.'">'.$result[1].'</option>'; } } $smarty->assign('about',$about); } $sql = "select sort,title,image from feature where type = '3' and ctype = '$zflID' and sort != '$id' limit 8"; $query = mysql_query($sql); while($result = mysql_fetch_row($query)){ list($tmp['id'],$tmp['title'],$tmp['image']) = $result; if(!$tmp['image']){ $tmp['image'] = 'http://eladies.sina.com.tw/images/dummy.gif'; } $righ[] = $tmp; unset($tmp); } $smarty->assign('righ',$righ);}//echo $tmplname;exit;if($specialid){ $nd_tmpl = explode('/',$tmplname); $tmplname = 'fashion/'.$nd_tmpl[1];}////*************************************************************************************debug_log('tmplname:'.$tmplname .' ==== _common_js_clickrecord is ====' . $_common_js_clickrecord);$eladies->replaceClickRecord($news['id'],$_common_js_clickrecord=='news'?0:1);//$smarty->display($tmplname);function debug_log($str) { if($fd = @fopen("/home/archive/logs/debug_result.txt", "a")) { fputs($fd, $str . "\n\r"); fclose($fd); } }?>
你们比我专业,你们懂的
危害等级:低
漏洞Rank:5
确认时间:2012-05-05 12:39
感谢提供!
暂无
不知道这个漏洞拿到礼物没