Vendor: https://github.com/xiebruce/PicUploader
version: before https://github.com/xiebruce/PicUploader/commit/fcf82eacc4ad2e62b6182ca152a48bda739157be
A SQL injection vulnerability is in https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/HistoryController.php#L189.
public function getByConditions($conditionArr){
$model = new HistoryModel();
try {
$where = '';
foreach($conditionArr as $key=>&$val){
$where .= "`".$key."`='".$val."' AND ";
}
$where .= '1=1';
$res = $model->findByConditions($where);
}catch (\PDOException $exception){
$res = false;
$msg = $exception->getMessage();
$this->AddMissingColumn($model, $msg);
}
return $res;
}
The variables $key
and $val
come from the parameter $conditionArr
, and users can control the values of this parameter through
https://github.com/xiebruce/PicUploader/blob/2ef5b21cb2ae831ff5a56473b0f1315a6f81ff65/settings/dispatch.php#L30
$json = call_user_func_array(array((new $className()), $func), [$_REQUEST]);