Chip 扫描报告

chip.phar check ".\\" -o "emlog.html" -r html

2019-08-24 18:16:57 ~ 2019-08-24 18:16:59
扫描PHP文件128个，发现182处隐患。

扫描文件总览

文件名	总数	高危	警告
.\admin\admin_log.php	3	3	0
.\admin\attachment.php	2	2	0
.\admin\blogger.php	3	3	0
.\admin\comment.php	9	9	0
.\admin\configure.php	3	3	0
.\admin\data.php	3	3	0
.\admin\index.php	3	3	0
.\admin\link.php	6	6	0
.\admin\navbar.php	6	6	0
.\admin\page.php	9	9	0
.\admin\plugin.php	8	8	0
.\admin\seo.php	3	3	0
.\admin\sort.php	6	6	0
.\admin\store.php	9	9	0
.\admin\style.php	3	3	0
.\admin\tag.php	6	6	0
.\admin\template.php	12	12	0
.\admin\twitter.php	3	3	0
.\admin\user.php	6	6	0
.\admin\widgets.php	3	3	0
.\admin\write_log.php	6	6	0
.\content\templates\default\echo_log.php	2	2	0
.\content\templates\default\header.php	1	1	0
.\content\templates\default\log_list.php	2	2	0
.\content\templates\default\page.php	2	2	0
.\content\templates\default\side.php	2	2	0
.\content\templates\default\t.php	2	2	0
.\include\controller\author_controller.php	2	2	0
.\include\controller\log_controller.php	5	5	0
.\include\controller\record_controller.php	2	2	0
.\include\controller\search_controller.php	2	2	0
.\include\controller\sort_controller.php	2	2	0
.\include\controller\tag_controller.php	2	2	0
.\include\lib\cache.php	4	4	0
.\include\lib\dispatcher.php	2	1	1
.\include\lib\function.base.php	6	6	0
.\include\lib\loginauth.php	1	1	0
.\include\model\plugin_model.php	2	2	0
.\init.php	1	1	0
.\m\index.php	24	24	0
.\t\index.php	2	2	0
.\xmlrpc.php	2	2	0

扫描漏洞总览

.\admin\admin_log.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 70: foreach ($_GET as $key=>$val) { 71: $subPage .= $key != 'page' ? "&$key=$val" : ''; 72: } 73: $pageurl = pagination($logNum, Option::get('admin_perpage_num'), $page, "admin_log.php?{$subPage}&page="); 74: 75: include View::getView('header'); 76: require_once View::getView('admin_log'); 77: include View::getView('footer');View::output(); 78:} 79: 80://操作文章
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 71: $subPage .= $key != 'page' ? "&$key=$val" : ''; 72: } 73: $pageurl = pagination($logNum, Option::get('admin_perpage_num'), $page, "admin_log.php?{$subPage}&page="); 74: 75: include View::getView('header'); 76: require_once View::getView('admin_log'); 77: include View::getView('footer');View::output(); 78:} 79: 80://操作文章 81:if ($action == 'operate_log') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 72: } 73: $pageurl = pagination($logNum, Option::get('admin_perpage_num'), $page, "admin_log.php?{$subPage}&page="); 74: 75: include View::getView('header'); 76: require_once View::getView('admin_log'); 77: include View::getView('footer');View::output(); 78:} 79: 80://操作文章 81:if ($action == 'operate_log') { 82: $operate = isset($_REQUEST['operate']) ? $_REQUEST['operate'] : '';

.\admin\attachment.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 26: foreach (Option::getAttType() as $val) { 27: $att_type_str .= " $val"; 28: $att_type_for_muti .= '*.'.$val.';'; 29: } 30: $view_tpl = $multi ? 'upload_multi' : 'upload'; 31: require_once(View::getView($view_tpl)); 32: View::output(); 33:} 34: 35://上传附件 36:if ($action == 'upload') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 113: $attach[$row['aid']]['thum_width'] = $thum['width']; 114: $attach[$row['aid']]['thum_height'] = $thum['height']; 115: } 116: } 117: $attachnum = count($attach); 118: include View::getView('attlib'); 119: View::output(); 120:} 121: 122://删除附件 123:if ($action == 'del_attach') {

.\admin\blogger.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 17: $icon = "<img src=\"{$photo}\" width=\"{$imgsize['w']}\" height=\"{$imgsize['h']}\" style=\"border:1px solid #CCCCCC;padding:1px;\" /> 18: <br /><a href=\"javascript: em_confirm(0, 'avatar', '$token');\">删除头像</a>"; 19: } else { 20: $icon = '<img src="./views/images/avatar.jpg" />'; 21: } 22: include View::getView('header'); 23: require_once(View::getView('blogger')); 24: include View::getView('footer'); 25: View::output(); 26:} 27:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 18: <br /><a href=\"javascript: em_confirm(0, 'avatar', '$token');\">删除头像</a>"; 19: } else { 20: $icon = '<img src="./views/images/avatar.jpg" />'; 21: } 22: include View::getView('header'); 23: require_once(View::getView('blogger')); 24: include View::getView('footer'); 25: View::output(); 26:} 27: 28:if ($action == 'update') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 19: } else { 20: $icon = '<img src="./views/images/avatar.jpg" />'; 21: } 22: include View::getView('header'); 23: require_once(View::getView('blogger')); 24: include View::getView('footer'); 25: View::output(); 26:} 27: 28:if ($action == 'update') { 29: LoginAuth::checkToken();

.\admin\comment.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 20: $comment = $Comment_Model->getComments(1, $blogId, $hide, $page); 21: $cmnum = $Comment_Model->getCommentNum($blogId, $hide); 22: $hideCommNum = $Comment_Model->getCommentNum($blogId, 'y'); 23: $pageurl = pagination($cmnum, Option::get('admin_perpage_num'), $page, "comment.php?{$addUrl}page="); 24: 25: include View::getView('header'); 26: require_once(View::getView('comment')); 27: include View::getView('footer'); 28: View::output(); 29:} 30:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 21: $cmnum = $Comment_Model->getCommentNum($blogId, $hide); 22: $hideCommNum = $Comment_Model->getCommentNum($blogId, 'y'); 23: $pageurl = pagination($cmnum, Option::get('admin_perpage_num'), $page, "comment.php?{$addUrl}page="); 24: 25: include View::getView('header'); 26: require_once(View::getView('comment')); 27: include View::getView('footer'); 28: View::output(); 29:} 30: 31:if ($action== 'del') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 22: $hideCommNum = $Comment_Model->getCommentNum($blogId, 'y'); 23: $pageurl = pagination($cmnum, Option::get('admin_perpage_num'), $page, "comment.php?{$addUrl}page="); 24: 25: include View::getView('header'); 26: require_once(View::getView('comment')); 27: include View::getView('footer'); 28: View::output(); 29:} 30: 31:if ($action== 'del') { 32: $id = isset($_GET['id']) ? intval($_GET['id']) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 88: emDirect("./comment.php?active_show=1"); 89: } 90:} 91: 92:if ($action== 'reply_comment') { 93: include View::getView('header'); 94: $commentId = isset($_GET['cid']) ? intval($_GET['cid']) : ''; 95: $commentArray = $Comment_Model->getOneComment($commentId); 96: extract($commentArray); 97: 98: require_once(View::getView('comment_reply'));
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 93: include View::getView('header'); 94: $commentId = isset($_GET['cid']) ? intval($_GET['cid']) : ''; 95: $commentArray = $Comment_Model->getOneComment($commentId); 96: extract($commentArray); 97: 98: require_once(View::getView('comment_reply')); 99: include View::getView('footer'); 100: View::output(); 101:} 102: 103:if ($action== 'edit_comment') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 94: $commentId = isset($_GET['cid']) ? intval($_GET['cid']) : ''; 95: $commentArray = $Comment_Model->getOneComment($commentId); 96: extract($commentArray); 97: 98: require_once(View::getView('comment_reply')); 99: include View::getView('footer'); 100: View::output(); 101:} 102: 103:if ($action== 'edit_comment') { 104: $commentId = isset($_GET['cid']) ? intval($_GET['cid']) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 106: if (!$commentArray) { 107: emMsg('不存在该评论！', './comment.php'); 108: } 109: extract($commentArray); 110: 111: include View::getView('header'); 112: require_once(View::getView('comment_edit')); 113: include View::getView('footer'); 114: View::output(); 115:} 116:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 107: emMsg('不存在该评论！', './comment.php'); 108: } 109: extract($commentArray); 110: 111: include View::getView('header'); 112: require_once(View::getView('comment_edit')); 113: include View::getView('footer'); 114: View::output(); 115:} 116: 117:if ($action=='doreply') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 108: } 109: extract($commentArray); 110: 111: include View::getView('header'); 112: require_once(View::getView('comment_edit')); 113: include View::getView('footer'); 114: View::output(); 115:} 116: 117:if ($action=='doreply') { 118: $reply = isset($_POST['reply']) ? trim(addslashes($_POST['reply'])) : '';

.\admin\configure.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 37: $ex3 = 'selected="selected"'; 38: } else { 39: $ex4 = 'selected="selected"'; 40: } 41: 42: include View::getView('header'); 43: require_once(View::getView('configure')); 44: include View::getView('footer'); 45: View::output(); 46:} 47:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 38: } else { 39: $ex4 = 'selected="selected"'; 40: } 41: 42: include View::getView('header'); 43: require_once(View::getView('configure')); 44: include View::getView('footer'); 45: View::output(); 46:} 47: 48:if ($action == 'mod_config') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 39: $ex4 = 'selected="selected"'; 40: } 41: 42: include View::getView('header'); 43: require_once(View::getView('configure')); 44: include View::getView('footer'); 45: View::output(); 46:} 47: 48:if ($action == 'mod_config') { 49: LoginAuth::checkToken();

.\admin\data.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 11: $bakfiles = $retval ? $retval : array(); 12: $timezone = Option::get('timezone'); 13: $tables = array('attachment', 'blog', 'comment', 'options', 'navi', 'reply', 'sort', 'link','tag','twitter','user'); 14: doAction('data_prebakup'); 15: 16: include View::getView('header'); 17: require_once(View::getView('data')); 18: include View::getView('footer'); 19: View::output(); 20:} 21:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 12: $timezone = Option::get('timezone'); 13: $tables = array('attachment', 'blog', 'comment', 'options', 'navi', 'reply', 'sort', 'link','tag','twitter','user'); 14: doAction('data_prebakup'); 15: 16: include View::getView('header'); 17: require_once(View::getView('data')); 18: include View::getView('footer'); 19: View::output(); 20:} 21: 22:if ($action == 'bakstart') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 13: $tables = array('attachment', 'blog', 'comment', 'options', 'navi', 'reply', 'sort', 'link','tag','twitter','user'); 14: doAction('data_prebakup'); 15: 16: include View::getView('header'); 17: require_once(View::getView('data')); 18: include View::getView('footer'); 19: View::output(); 20:} 21: 22:if ($action == 'bakstart') { 23: LoginAuth::checkToken();

.\admin\index.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 26: } 27: } else{ 28: $gd_ver = '不支持'; 29: } 30: 31: include View::getView('header'); 32: require_once(View::getView('index')); 33: include View::getView('footer'); 34: View::output(); 35:} 36:if ($action == 'update' && ROLE == ROLE_ADMIN) {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 27: } else{ 28: $gd_ver = '不支持'; 29: } 30: 31: include View::getView('header'); 32: require_once(View::getView('index')); 33: include View::getView('footer'); 34: View::output(); 35:} 36:if ($action == 'update' && ROLE == ROLE_ADMIN) { 37: $source = isset($_GET['source']) ? trim($_GET['source']) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 28: $gd_ver = '不支持'; 29: } 30: 31: include View::getView('header'); 32: require_once(View::getView('index')); 33: include View::getView('footer'); 34: View::output(); 35:} 36:if ($action == 'update' && ROLE == ROLE_ADMIN) { 37: $source = isset($_GET['source']) ? trim($_GET['source']) : ''; 38: $upsql = isset($_GET['upsql']) ? trim($_GET['upsql']) : '';

.\admin\link.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 8: 9:$Link_Model = new Link_Model(); 10: 11:if ($action == '') { 12: $links = $Link_Model->getLinks(); 13: include View::getView('header'); 14: require_once(View::getView('links')); 15: include View::getView('footer'); 16: View::output(); 17:} 18:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9:$Link_Model = new Link_Model(); 10: 11:if ($action == '') { 12: $links = $Link_Model->getLinks(); 13: include View::getView('header'); 14: require_once(View::getView('links')); 15: include View::getView('footer'); 16: View::output(); 17:} 18: 19:if ($action== 'link_taxis') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 10: 11:if ($action == '') { 12: $links = $Link_Model->getLinks(); 13: include View::getView('header'); 14: require_once(View::getView('links')); 15: include View::getView('footer'); 16: View::output(); 17:} 18: 19:if ($action== 'link_taxis') { 20: $link = isset($_POST['link']) ? $_POST['link'] : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 52: $linkId = isset($_GET['linkid']) ? intval($_GET['linkid']) : ''; 53: 54: $linkData = $Link_Model->getOneLink($linkId); 55: extract($linkData); 56: 57: include View::getView('header'); 58: require_once(View::getView('linkedit')); 59: include View::getView('footer');View::output(); 60:} 61: 62:if ($action=='update_link') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 53: 54: $linkData = $Link_Model->getOneLink($linkId); 55: extract($linkData); 56: 57: include View::getView('header'); 58: require_once(View::getView('linkedit')); 59: include View::getView('footer');View::output(); 60:} 61: 62:if ($action=='update_link') { 63: $sitename = isset($_POST['sitename']) ? addslashes(trim($_POST['sitename'])) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 54: $linkData = $Link_Model->getOneLink($linkId); 55: extract($linkData); 56: 57: include View::getView('header'); 58: require_once(View::getView('linkedit')); 59: include View::getView('footer');View::output(); 60:} 61: 62:if ($action=='update_link') { 63: $sitename = isset($_POST['sitename']) ? addslashes(trim($_POST['sitename'])) : ''; 64: $siteurl = isset($_POST['siteurl']) ? addslashes(trim($_POST['siteurl'])) : '';

.\admin\navbar.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 13: 14: $navis = $Navi_Model->getNavis(); 15: $sorts = $CACHE->readCache('sort'); 16: $pages = $emPage->getAllPageList(); 17: 18: include View::getView('header'); 19: require_once(View::getView('navbar')); 20: include View::getView('footer'); 21: View::output(); 22:} 23:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 14: $navis = $Navi_Model->getNavis(); 15: $sorts = $CACHE->readCache('sort'); 16: $pages = $emPage->getAllPageList(); 17: 18: include View::getView('header'); 19: require_once(View::getView('navbar')); 20: include View::getView('footer'); 21: View::output(); 22:} 23: 24:if ($action== 'taxis') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 15: $sorts = $CACHE->readCache('sort'); 16: $pages = $emPage->getAllPageList(); 17: 18: include View::getView('header'); 19: require_once(View::getView('navbar')); 20: include View::getView('footer'); 21: View::output(); 22:} 23: 24:if ($action== 'taxis') { 25: $navi = isset($_POST['navi']) ? $_POST['navi'] : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 102: } 103: 104: $conf_newtab = $newtab == 'y' ? 'checked="checked"' : ''; 105: $conf_isdefault = $type != Navi_Model::navitype_custom ? 'disabled="disabled"' : ''; 106: 107: include View::getView('header'); 108: require_once(View::getView('naviedit')); 109: include View::getView('footer');View::output(); 110:} 111: 112:if ($action=='update') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 103: 104: $conf_newtab = $newtab == 'y' ? 'checked="checked"' : ''; 105: $conf_isdefault = $type != Navi_Model::navitype_custom ? 'disabled="disabled"' : ''; 106: 107: include View::getView('header'); 108: require_once(View::getView('naviedit')); 109: include View::getView('footer');View::output(); 110:} 111: 112:if ($action=='update') { 113: $naviname = isset($_POST['naviname']) ? addslashes(trim($_POST['naviname'])) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 104: $conf_newtab = $newtab == 'y' ? 'checked="checked"' : ''; 105: $conf_isdefault = $type != Navi_Model::navitype_custom ? 'disabled="disabled"' : ''; 106: 107: include View::getView('header'); 108: require_once(View::getView('naviedit')); 109: include View::getView('footer');View::output(); 110:} 111: 112:if ($action=='update') { 113: $naviname = isset($_POST['naviname']) ? addslashes(trim($_POST['naviname'])) : ''; 114: $url = isset($_POST['url']) ? addslashes(trim($_POST['url'])) : '';

.\admin\page.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 15: $pages = $emPage->getLogsForAdmin('', '', $page, 'page'); 16: $pageNum = $emPage->getLogNum('','','page', 1); 17: 18: $pageurl = pagination($pageNum, Option::get('admin_perpage_num'), $page, "./page.php?page="); 19: 20: include View::getView('header'); 21: require_once(View::getView('admin_page')); 22: include View::getView('footer'); 23: View::output(); 24:} 25://显示新建页面表单
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 16: $pageNum = $emPage->getLogNum('','','page', 1); 17: 18: $pageurl = pagination($pageNum, Option::get('admin_perpage_num'), $page, "./page.php?page="); 19: 20: include View::getView('header'); 21: require_once(View::getView('admin_page')); 22: include View::getView('footer'); 23: View::output(); 24:} 25://显示新建页面表单 26:if ($action == 'new') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 17: 18: $pageurl = pagination($pageNum, Option::get('admin_perpage_num'), $page, "./page.php?page="); 19: 20: include View::getView('header'); 21: require_once(View::getView('admin_page')); 22: include View::getView('footer'); 23: View::output(); 24:} 25://显示新建页面表单 26:if ($action == 'new') { 27: include View::getView('header');
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 22: include View::getView('footer'); 23: View::output(); 24:} 25://显示新建页面表单 26:if ($action == 'new') { 27: include View::getView('header'); 28: require_once(View::getView('add_page')); 29: include View::getView('footer'); 30: View::output(); 31:} 32://显示编辑页面表单
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 23: View::output(); 24:} 25://显示新建页面表单 26:if ($action == 'new') { 27: include View::getView('header'); 28: require_once(View::getView('add_page')); 29: include View::getView('footer'); 30: View::output(); 31:} 32://显示编辑页面表单 33:if ($action == 'mod') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 24:} 25://显示新建页面表单 26:if ($action == 'new') { 27: include View::getView('header'); 28: require_once(View::getView('add_page')); 29: include View::getView('footer'); 30: View::output(); 31:} 32://显示编辑页面表单 33:if ($action == 'mod') { 34: $emPage = new Log_Model();
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 41: $blank = isset($navibar[$pageId]['is_blank']) ? $navibar[$pageId]['is_blank'] : '' ; 42: 43: $is_allow_remark = $allow_remark == 'y' ? 'checked="checked"' : ''; 44: $is_blank = $blank == '_blank' ? 'checked="checked"' : ''; 45: 46: include View::getView('header'); 47: require_once(View::getView('edit_page')); 48: include View::getView('footer'); 49: View::output(); 50:} 51://保存页面
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 42: 43: $is_allow_remark = $allow_remark == 'y' ? 'checked="checked"' : ''; 44: $is_blank = $blank == '_blank' ? 'checked="checked"' : ''; 45: 46: include View::getView('header'); 47: require_once(View::getView('edit_page')); 48: include View::getView('footer'); 49: View::output(); 50:} 51://保存页面 52:if ($action == 'add' \|\| $action == 'edit' \|\| $action == 'autosave') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 43: $is_allow_remark = $allow_remark == 'y' ? 'checked="checked"' : ''; 44: $is_blank = $blank == '_blank' ? 'checked="checked"' : ''; 45: 46: include View::getView('header'); 47: require_once(View::getView('edit_page')); 48: include View::getView('footer'); 49: View::output(); 50:} 51://保存页面 52:if ($action == 'add' \|\| $action == 'edit' \|\| $action == 'autosave') { 53: $emPage = new Log_Model();

.\admin\plugin.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 10: 11:if ($action == '' && !$plugin) { 12: $Plugin_Model = new Plugin_Model(); 13: $plugins = $Plugin_Model->getPlugins(); 14: 15: include View::getView('header'); 16: require_once(View::getView('plugin')); 17: include View::getView('footer'); 18: View::output(); 19:} 20:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 11:if ($action == '' && !$plugin) { 12: $Plugin_Model = new Plugin_Model(); 13: $plugins = $Plugin_Model->getPlugins(); 14: 15: include View::getView('header'); 16: require_once(View::getView('plugin')); 17: include View::getView('footer'); 18: View::output(); 19:} 20: 21://激活
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 12: $Plugin_Model = new Plugin_Model(); 13: $plugins = $Plugin_Model->getPlugins(); 14: 15: include View::getView('header'); 16: require_once(View::getView('plugin')); 17: include View::getView('footer'); 18: View::output(); 19:} 20: 21://激活 22:if ($action == 'active') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 39: emDirect("./plugin.php?inactive=1"); 40:} 41: 42://加载插件配置页面 43:if ($action == '' && $plugin) { 44: include View::getView('header'); 45: require_once "../content/plugins/{$plugin}/{$plugin}_setting.php"; 46: plugin_setting_view(); 47: include View::getView('footer'); 48:} 49:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 42://加载插件配置页面 43:if ($action == '' && $plugin) { 44: include View::getView('header'); 45: require_once "../content/plugins/{$plugin}/{$plugin}_setting.php"; 46: plugin_setting_view(); 47: include View::getView('footer'); 48:} 49: 50://保存插件设置 51:if ($action == 'setting') { 52: if (!empty($_POST)) {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 61: } 62:} 63: 64://安装插件 65:if ($action == 'install') { 66: include View::getView('header'); 67: require_once View::getView('plugin_install'); 68: include View::getView('footer'); 69: View::output(); 70:} 71:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 62:} 63: 64://安装插件 65:if ($action == 'install') { 66: include View::getView('header'); 67: require_once View::getView('plugin_install'); 68: include View::getView('footer'); 69: View::output(); 70:} 71: 72://删除插件
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 63: 64://安装插件 65:if ($action == 'install') { 66: include View::getView('header'); 67: require_once View::getView('plugin_install'); 68: include View::getView('footer'); 69: View::output(); 70:} 71: 72://删除插件 73:if ($action == 'del') {

.\admin\seo.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 19: $$t = 'selected="selected"'; 20: 21: $isalias = $isalias == 'y' ? 'checked="checked"' : ''; 22: $isalias_html = $isalias_html == 'y' ? 'checked="checked"' : ''; 23: 24: include View::getView('header'); 25: require_once(View::getView('seo')); 26: include View::getView('footer'); 27: View::output(); 28:} 29:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 20: 21: $isalias = $isalias == 'y' ? 'checked="checked"' : ''; 22: $isalias_html = $isalias_html == 'y' ? 'checked="checked"' : ''; 23: 24: include View::getView('header'); 25: require_once(View::getView('seo')); 26: include View::getView('footer'); 27: View::output(); 28:} 29: 30:if ($action == 'update') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 21: $isalias = $isalias == 'y' ? 'checked="checked"' : ''; 22: $isalias_html = $isalias_html == 'y' ? 'checked="checked"' : ''; 23: 24: include View::getView('header'); 25: require_once(View::getView('seo')); 26: include View::getView('footer'); 27: View::output(); 28:} 29: 30:if ($action == 'update') { 31: LoginAuth::checkToken();

.\admin\sort.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 8: 9:$Sort_Model = new Sort_Model(); 10:$sorts = $CACHE->readCache('sort'); 11: 12:if ($action == '') { 13: include View::getView('header'); 14: require_once View::getView('sort'); 15: include View::getView('footer'); 16: View::output(); 17:} 18:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9:$Sort_Model = new Sort_Model(); 10:$sorts = $CACHE->readCache('sort'); 11: 12:if ($action == '') { 13: include View::getView('header'); 14: require_once View::getView('sort'); 15: include View::getView('footer'); 16: View::output(); 17:} 18: 19:if ($action == 'taxis') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 10:$sorts = $CACHE->readCache('sort'); 11: 12:if ($action == '') { 13: include View::getView('header'); 14: require_once View::getView('sort'); 15: include View::getView('footer'); 16: View::output(); 17:} 18: 19:if ($action == 'taxis') { 20: $sort = isset($_POST['sort']) ? $_POST['sort'] : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 71: $sid = isset($_GET['sid']) ? intval($_GET['sid']) : ''; 72: 73: $sortData = $Sort_Model->getOneSortById($sid); 74: extract($sortData); 75: 76: include View::getView('header'); 77: require_once(View::getView('sortedit')); 78: include View::getView('footer'); 79: View::output(); 80:} 81:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 72: 73: $sortData = $Sort_Model->getOneSortById($sid); 74: extract($sortData); 75: 76: include View::getView('header'); 77: require_once(View::getView('sortedit')); 78: include View::getView('footer'); 79: View::output(); 80:} 81: 82:if ($action == 'update') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 73: $sortData = $Sort_Model->getOneSortById($sid); 74: extract($sortData); 75: 76: include View::getView('header'); 77: require_once(View::getView('sortedit')); 78: include View::getView('footer'); 79: View::output(); 80:} 81: 82:if ($action == 'update') { 83: $sid = isset($_POST['sid']) ? intval($_POST['sid']) : '';

.\admin\store.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 6: 7:require_once 'globals.php'; 8: 9:if ($action == '') { 10: $site_url_encode = rawurlencode(base64_encode(BLOG_URL)); 11: include View::getView('header'); 12: require_once(View::getView('store')); 13: include View::getView('footer'); 14: View::output(); 15:} 16:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 7:require_once 'globals.php'; 8: 9:if ($action == '') { 10: $site_url_encode = rawurlencode(base64_encode(BLOG_URL)); 11: include View::getView('header'); 12: require_once(View::getView('store')); 13: include View::getView('footer'); 14: View::output(); 15:} 16: 17:if ($action == 'instpl') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 8: 9:if ($action == '') { 10: $site_url_encode = rawurlencode(base64_encode(BLOG_URL)); 11: include View::getView('header'); 12: require_once(View::getView('store')); 13: include View::getView('footer'); 14: View::output(); 15:} 16: 17:if ($action == 'instpl') { 18: $source = isset($_GET['source']) ? trim($_GET['source']) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 17:if ($action == 'instpl') { 18: $source = isset($_GET['source']) ? trim($_GET['source']) : ''; 19: $source_type = 'tpl'; 20: $source_typename = '模板'; 21: $source_typeurl = '<a href="template.php">查看模板</a>'; 22: include View::getView('header'); 23: require_once(View::getView('store_install')); 24: include View::getView('footer'); 25:} 26: 27:if ($action == 'insplu') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 18: $source = isset($_GET['source']) ? trim($_GET['source']) : ''; 19: $source_type = 'tpl'; 20: $source_typename = '模板'; 21: $source_typeurl = '<a href="template.php">查看模板</a>'; 22: include View::getView('header'); 23: require_once(View::getView('store_install')); 24: include View::getView('footer'); 25:} 26: 27:if ($action == 'insplu') { 28: $source = isset($_GET['source']) ? trim($_GET['source']) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 19: $source_type = 'tpl'; 20: $source_typename = '模板'; 21: $source_typeurl = '<a href="template.php">查看模板</a>'; 22: include View::getView('header'); 23: require_once(View::getView('store_install')); 24: include View::getView('footer'); 25:} 26: 27:if ($action == 'insplu') { 28: $source = isset($_GET['source']) ? trim($_GET['source']) : ''; 29: $source_type = 'plu';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 27:if ($action == 'insplu') { 28: $source = isset($_GET['source']) ? trim($_GET['source']) : ''; 29: $source_type = 'plu'; 30: $source_typename = '插件'; 31: $source_typeurl = '<a href="plugin.php">查看插件</a>'; 32: include View::getView('header'); 33: require_once(View::getView('store_install')); 34: include View::getView('footer'); 35:} 36: 37:if ($action == 'addon') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 28: $source = isset($_GET['source']) ? trim($_GET['source']) : ''; 29: $source_type = 'plu'; 30: $source_typename = '插件'; 31: $source_typeurl = '<a href="plugin.php">查看插件</a>'; 32: include View::getView('header'); 33: require_once(View::getView('store_install')); 34: include View::getView('footer'); 35:} 36: 37:if ($action == 'addon') { 38: $source = isset($_GET['source']) ? trim($_GET['source']) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 29: $source_type = 'plu'; 30: $source_typename = '插件'; 31: $source_typeurl = '<a href="plugin.php">查看插件</a>'; 32: include View::getView('header'); 33: require_once(View::getView('store_install')); 34: include View::getView('footer'); 35:} 36: 37:if ($action == 'addon') { 38: $source = isset($_GET['source']) ? trim($_GET['source']) : ''; 39: $source_type = isset($_GET['type']) ? trim($_GET['type']) : '';

.\admin\style.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 32: } 33: } 34: closedir($handle); 35: $stylenums = count($styles); 36: 37: include View::getView('header'); 38: require_once(View::getView('style')); 39: include View::getView('footer'); 40: View::output(); 41:} 42:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 33: } 34: closedir($handle); 35: $stylenums = count($styles); 36: 37: include View::getView('header'); 38: require_once(View::getView('style')); 39: include View::getView('footer'); 40: View::output(); 41:} 42: 43://update
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 34: closedir($handle); 35: $stylenums = count($styles); 36: 37: include View::getView('header'); 38: require_once(View::getView('style')); 39: include View::getView('footer'); 40: View::output(); 41:} 42: 43://update 44:if ($action == 'usestyle') {

.\admin\tag.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 8: 9:$Tag_Model = new Tag_Model(); 10: 11:if ($action == '') { 12: $tags = $Tag_Model->getTag(); 13: include View::getView('header'); 14: require_once View::getView('tag'); 15: include View::getView('footer'); 16: View::output(); 17:} 18:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9:$Tag_Model = new Tag_Model(); 10: 11:if ($action == '') { 12: $tags = $Tag_Model->getTag(); 13: include View::getView('header'); 14: require_once View::getView('tag'); 15: include View::getView('footer'); 16: View::output(); 17:} 18: 19:if ($action== "mod_tag") {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 10: 11:if ($action == '') { 12: $tags = $Tag_Model->getTag(); 13: include View::getView('header'); 14: require_once View::getView('tag'); 15: include View::getView('footer'); 16: View::output(); 17:} 18: 19:if ($action== "mod_tag") { 20: $tagId = isset($_GET['tid']) ? intval($_GET['tid']) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 18: 19:if ($action== "mod_tag") { 20: $tagId = isset($_GET['tid']) ? intval($_GET['tid']) : ''; 21: $tag = $Tag_Model->getOneTag($tagId); 22: extract($tag); 23: include View::getView('header'); 24: require_once View::getView('tagedit'); 25: include View::getView('footer');View::output(); 26:} 27: 28://标签修改
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 19:if ($action== "mod_tag") { 20: $tagId = isset($_GET['tid']) ? intval($_GET['tid']) : ''; 21: $tag = $Tag_Model->getOneTag($tagId); 22: extract($tag); 23: include View::getView('header'); 24: require_once View::getView('tagedit'); 25: include View::getView('footer');View::output(); 26:} 27: 28://标签修改 29:if ($action=='update_tag') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 20: $tagId = isset($_GET['tid']) ? intval($_GET['tid']) : ''; 21: $tag = $Tag_Model->getOneTag($tagId); 22: extract($tag); 23: include View::getView('header'); 24: require_once View::getView('tagedit'); 25: include View::getView('footer');View::output(); 26:} 27: 28://标签修改 29:if ($action=='update_tag') { 30: $tagName = isset($_POST['tagname']) ? addslashes($_POST['tagname']) : '';

.\admin\template.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 42: } 43: closedir($handle); 44: 45: $tplnums = count($tpls); 46: 47: include View::getView('header'); 48: require_once View::getView('template'); 49: include View::getView('footer'); 50: View::output(); 51:} 52:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 43: closedir($handle); 44: 45: $tplnums = count($tpls); 46: 47: include View::getView('header'); 48: require_once View::getView('template'); 49: include View::getView('footer'); 50: View::output(); 51:} 52: 53://使用模板
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 44: 45: $tplnums = count($tpls); 46: 47: include View::getView('header'); 48: require_once View::getView('template'); 49: include View::getView('footer'); 50: View::output(); 51:} 52: 53://使用模板 54:if ($action == 'usetpl')
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 93: } 94: $custom_topimgs = Option::get('custom_topimgs'); 95: $topimgs = array_merge($default_topimgs, $custom_topimgs); 96: closedir($handle); 97: 98: include View::getView('header'); 99: require_once View::getView('template_top'); 100: include View::getView('footer'); 101: View::output(); 102:} 103:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 94: $custom_topimgs = Option::get('custom_topimgs'); 95: $topimgs = array_merge($default_topimgs, $custom_topimgs); 96: closedir($handle); 97: 98: include View::getView('header'); 99: require_once View::getView('template_top'); 100: include View::getView('footer'); 101: View::output(); 102:} 103: 104://使用顶部图片
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 95: $topimgs = array_merge($default_topimgs, $custom_topimgs); 96: closedir($handle); 97: 98: include View::getView('header'); 99: require_once View::getView('template_top'); 100: include View::getView('footer'); 101: View::output(); 102:} 103: 104://使用顶部图片 105:if ($action == 'update_top')
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 144: } 145: } else{ 146: emDirect("./template.php?action=custom-top"); 147: } 148: 149: include View::getView('header'); 150: require_once View::getView('template_crop'); 151: include View::getView('footer'); 152: View::output(); 153:} 154:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 145: } else{ 146: emDirect("./template.php?action=custom-top"); 147: } 148: 149: include View::getView('header'); 150: require_once View::getView('template_crop'); 151: include View::getView('footer'); 152: View::output(); 153:} 154: 155://裁剪图片
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 146: emDirect("./template.php?action=custom-top"); 147: } 148: 149: include View::getView('header'); 150: require_once View::getView('template_crop'); 151: include View::getView('footer'); 152: View::output(); 153:} 154: 155://裁剪图片 156:if ($action == 'crop') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 188:} 189: 190://安装模板 191:if ($action == 'install') 192:{ 193: include View::getView('header'); 194: require_once View::getView('template_install'); 195: include View::getView('footer'); 196: View::output(); 197:} 198:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 189: 190://安装模板 191:if ($action == 'install') 192:{ 193: include View::getView('header'); 194: require_once View::getView('template_install'); 195: include View::getView('footer'); 196: View::output(); 197:} 198: 199://上传zip模板
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 190://安装模板 191:if ($action == 'install') 192:{ 193: include View::getView('header'); 194: require_once View::getView('template_install'); 195: include View::getView('footer'); 196: View::output(); 197:} 198: 199://上传zip模板 200:if ($action == 'upload_zip') {

.\admin\twitter.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 16: $tws = $Twitter_Model->getTwitters($page,1); 17: $twnum = $Twitter_Model->getTwitterNum(1); 18: $pageurl = pagination($twnum, Option::get('admin_perpage_num'), $page, 'twitter.php?page='); 19: $avatar = empty($user_cache[UID]['avatar']) ? './views/images/avatar.jpg' : '../' . $user_cache[UID]['avatar']; 20: 21: include View::getView('header'); 22: require_once View::getView('twitter'); 23: include View::getView('footer'); 24: View::output(); 25:} 26:// 发布微语.
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 17: $twnum = $Twitter_Model->getTwitterNum(1); 18: $pageurl = pagination($twnum, Option::get('admin_perpage_num'), $page, 'twitter.php?page='); 19: $avatar = empty($user_cache[UID]['avatar']) ? './views/images/avatar.jpg' : '../' . $user_cache[UID]['avatar']; 20: 21: include View::getView('header'); 22: require_once View::getView('twitter'); 23: include View::getView('footer'); 24: View::output(); 25:} 26:// 发布微语. 27:if ($action == 'post') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 18: $pageurl = pagination($twnum, Option::get('admin_perpage_num'), $page, 'twitter.php?page='); 19: $avatar = empty($user_cache[UID]['avatar']) ? './views/images/avatar.jpg' : '../' . $user_cache[UID]['avatar']; 20: 21: include View::getView('header'); 22: require_once View::getView('twitter'); 23: include View::getView('footer'); 24: View::output(); 25:} 26:// 发布微语. 27:if ($action == 'post') { 28: $t = isset($_POST['t']) ? addslashes(trim($_POST['t'])) : '';

.\admin\user.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 13: $page = isset($_GET['page']) ? intval($_GET['page']) : 1; 14: $users = $User_Model->getUsers($page); 15: $usernum = $User_Model->getUserNum(); 16: $pageurl = pagination($usernum, Option::get('admin_perpage_num'), $page, "./user.php?page="); 17: 18: include View::getView('header'); 19: require_once View::getView('user'); 20: include View::getView('footer'); 21: View::output(); 22:} 23:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 14: $users = $User_Model->getUsers($page); 15: $usernum = $User_Model->getUserNum(); 16: $pageurl = pagination($usernum, Option::get('admin_perpage_num'), $page, "./user.php?page="); 17: 18: include View::getView('header'); 19: require_once View::getView('user'); 20: include View::getView('footer'); 21: View::output(); 22:} 23: 24:if ($action== 'new') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 15: $usernum = $User_Model->getUserNum(); 16: $pageurl = pagination($usernum, Option::get('admin_perpage_num'), $page, "./user.php?page="); 17: 18: include View::getView('header'); 19: require_once View::getView('user'); 20: include View::getView('footer'); 21: View::output(); 22:} 23: 24:if ($action== 'new') { 25: $login = isset($_POST['login']) ? addslashes(trim($_POST['login'])) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 71: $ex3 = 'selected="selected"'; 72: } elseif ($ischeck == 'y') { 73: $ex4 = 'selected="selected"'; 74: } 75: 76: include View::getView('header'); 77: require_once View::getView('useredit'); 78: include View::getView('footer');View::output(); 79:} 80: 81:if ($action=='update') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 72: } elseif ($ischeck == 'y') { 73: $ex4 = 'selected="selected"'; 74: } 75: 76: include View::getView('header'); 77: require_once View::getView('useredit'); 78: include View::getView('footer');View::output(); 79:} 80: 81:if ($action=='update') { 82: $login = isset($_POST['username']) ? addslashes(trim($_POST['username'])) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 73: $ex4 = 'selected="selected"'; 74: } 75: 76: include View::getView('header'); 77: require_once View::getView('useredit'); 78: include View::getView('footer');View::output(); 79:} 80: 81:if ($action=='update') { 82: $login = isset($_POST['username']) ? addslashes(trim($_POST['username'])) : ''; 83: $nickname = isset($_POST['nickname']) ? addslashes(trim($_POST['nickname'])) : '';

.\admin\widgets.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 26: } else { 27: $customWgTitle[$key] = $val; 28: } 29: } 30: 31: include View::getView('header'); 32: require_once View::getView('widgets'); 33: include View::getView('footer'); 34: View::output(); 35:} 36:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 27: $customWgTitle[$key] = $val; 28: } 29: } 30: 31: include View::getView('header'); 32: require_once View::getView('widgets'); 33: include View::getView('footer'); 34: View::output(); 35:} 36: 37://修改组件设置
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 28: } 29: } 30: 31: include View::getView('header'); 32: require_once View::getView('widgets'); 33: include View::getView('footer'); 34: View::output(); 35:} 36: 37://修改组件设置 38:if ($action == 'setwg') {

.\admin\write_log.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 15: $tags = $Tag_Model->getTag(); 16: 17: $localtime = time() + Option::get('timezone') * 3600; 18: $postDate = gmdate('Y-m-d H:i:s', $localtime); 19: 20: include View::getView('header'); 21: require_once View::getView('add_log'); 22: include View::getView('footer'); 23: View::output(); 24:} 25:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 16: 17: $localtime = time() + Option::get('timezone') * 3600; 18: $postDate = gmdate('Y-m-d H:i:s', $localtime); 19: 20: include View::getView('header'); 21: require_once View::getView('add_log'); 22: include View::getView('footer'); 23: View::output(); 24:} 25: 26://显示编辑文章页面
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 17: $localtime = time() + Option::get('timezone') * 3600; 18: $postDate = gmdate('Y-m-d H:i:s', $localtime); 19: 20: include View::getView('header'); 21: require_once View::getView('add_log'); 22: include View::getView('footer'); 23: View::output(); 24:} 25: 26://显示编辑文章页面 27:if ($action == 'edit') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 46: 47: $is_top = $top == 'y' ? 'checked="checked"' : ''; 48: $is_sortop = $sortop == 'y' ? 'checked="checked"' : ''; 49: $is_allow_remark = $allow_remark == 'y' ? 'checked="checked"' : ''; 50: 51: include View::getView('header'); 52: require_once View::getView('edit_log'); 53: include View::getView('footer');View::output(); 54:} 55:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 47: $is_top = $top == 'y' ? 'checked="checked"' : ''; 48: $is_sortop = $sortop == 'y' ? 'checked="checked"' : ''; 49: $is_allow_remark = $allow_remark == 'y' ? 'checked="checked"' : ''; 50: 51: include View::getView('header'); 52: require_once View::getView('edit_log'); 53: include View::getView('footer');View::output(); 54:} 55:
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 48: $is_sortop = $sortop == 'y' ? 'checked="checked"' : ''; 49: $is_allow_remark = $allow_remark == 'y' ? 'checked="checked"' : ''; 50: 51: include View::getView('header'); 52: require_once View::getView('edit_log'); 53: include View::getView('footer');View::output(); 54:} 55:

.\content\templates\default\echo_log.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 15: <?php blog_comments($comments); ?> 16: <?php blog_comments_post($logid,$ckname,$ckmail,$ckurl,$verifyCode,$allow_remark); ?> 17: <div style="clear:both;"></div> 18:</div><!--end #contentleft--> 19:<?php 20: include View::getView('side'); 21: include View::getView('footer'); 22:?>
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 16: <?php blog_comments_post($logid,$ckname,$ckmail,$ckurl,$verifyCode,$allow_remark); ?> 17: <div style="clear:both;"></div> 18:</div><!--end #contentleft--> 19:<?php 20: include View::getView('side'); 21: include View::getView('footer'); 22:?>

.\content\templates\default\header.php

等级

函数

说明

danger

文件包含操作存在动态变量或函数，可能有远程代码执行的隐患

代码

6:Author:emlog
7:Author Url:http://www.emlog.net
8:Sidebar Amount:1
9:*/
10:if(!defined('EMLOG_ROOT')) {exit('error!');}
11:require_once View::getView('module');

12:?>
13:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
14:<html xmlns="http://www.w3.org/1999/xhtml">
15:<head>
16:<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

.\content\templates\default\log_list.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 36: <?php echo $page_url;?> 37:</div> 38: 39:</div><!-- end #contentleft--> 40:<?php 41: include View::getView('side'); 42: include View::getView('footer'); 43:?>
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 37:</div> 38: 39:</div><!-- end #contentleft--> 40:<?php 41: include View::getView('side'); 42: include View::getView('footer'); 43:?>

.\content\templates\default\page.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 11: <?php blog_comments($comments); ?> 12: <?php blog_comments_post($logid,$ckname,$ckmail,$ckurl,$verifyCode,$allow_remark); ?> 13: <div style="clear:both;"></div> 14:</div><!--end #contentleft--> 15:<?php 16: include View::getView('side'); 17: include View::getView('footer'); 18:?>
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 12: <?php blog_comments_post($logid,$ckname,$ckmail,$ckurl,$verifyCode,$allow_remark); ?> 13: <div style="clear:both;"></div> 14:</div><!--end #contentleft--> 15:<?php 16: include View::getView('side'); 17: include View::getView('footer'); 18:?>

.\content\templates\default\side.php

等级	函数	说明
danger	-	call_user_func第0个参数包含动态变量或函数，可能有远程代码执行的隐患
代码 15: if(strpos($val, 'custom_wg_') === 0) 16: { 17: $callback = 'widget_custom_text'; 18: if(function_exists($callback)) 19: { 20: call_user_func($callback, htmlspecialchars($custom_widget[$val]['title']), $custom_widget[$val]['content']); 21: } 22: }else{ 23: $callback = 'widget_'.$val; 24: if(function_exists($callback)) 25: {
danger	-	call_user_func第0个参数包含动态变量或函数，可能有远程代码执行的隐患
代码 23: $callback = 'widget_'.$val; 24: if(function_exists($callback)) 25: { 26: preg_match("/^.\s$(.)$/", $widget_title[$val], $matchs); 27: $wgTitle = isset($matchs[1]) ? $matchs[1] : $widget_title[$val]; 28: call_user_func($callback, htmlspecialchars($wgTitle)); 29: } 30: } 31:} 32:?> 33:<?php if (Option::get('rss_output_num')):?>

.\content\templates\default\t.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 45: <li id="pagenavi"><?php echo $pageurl;?><span></span></li> 46: </ul> 47:</div><!--end #tw--> 48:</div><!--end #contentleft--> 49:<?php 50: include View::getView('side'); 51: include View::getView('footer'); 52:?>
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 46: </ul> 47:</div><!--end #tw--> 48:</div><!--end #contentleft--> 49:<?php 50: include View::getView('side'); 51: include View::getView('footer'); 52:?>

.\include\controller\author_controller.php

等级	函数	说明
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $CACHE = Cache::getInstance(); 12: $options_cache = Option::getAll(); 13: extract($options_cache); 14: 15: $page = isset($params[4]) && $params[4] == 'page' ? abs(intval($params[5])) : 1; 16: $author = isset($params[1]) && $params[1] == 'author' ? intval($params[2]) : '' ; 17: 18: 19: $pageurl = ''; 20: 21: $user_cache = $CACHE->readCache('user'); 22: if (!isset($user_cache[$author])) { 23: show_404_page(); 24: } 25: 26: $author_name = $user_cache[$author]['name']; 27: //page meta 28: $site_title = $author_name . ' - ' . $site_title; 29: 30: $sqlSegment = "and author=$author order by date desc"; 31: $sta_cache = $CACHE->readCache('sta'); 32: $lognum = $sta_cache[$author]['lognum']; 33: 34: $total_pages = ceil($lognum / $index_lognum); 35: if ($page > $total_pages) { 36: $page = $total_pages; 37: } 38: $start_limit = ($page - 1) * $index_lognum; 39: $pageurl .= Url::author($author, 'page'); 40: 41: $Log_Model = new Log_Model(); 42: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 43: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 44: 45: include View::getView('header'); 46: include View::getView('log_list'); 47: }
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $CACHE = Cache::getInstance(); 12: $options_cache = Option::getAll(); 13: extract($options_cache); 14: 15: $page = isset($params[4]) && $params[4] == 'page' ? abs(intval($params[5])) : 1; 16: $author = isset($params[1]) && $params[1] == 'author' ? intval($params[2]) : '' ; 17: 18: 19: $pageurl = ''; 20: 21: $user_cache = $CACHE->readCache('user'); 22: if (!isset($user_cache[$author])) { 23: show_404_page(); 24: } 25: 26: $author_name = $user_cache[$author]['name']; 27: //page meta 28: $site_title = $author_name . ' - ' . $site_title; 29: 30: $sqlSegment = "and author=$author order by date desc"; 31: $sta_cache = $CACHE->readCache('sta'); 32: $lognum = $sta_cache[$author]['lognum']; 33: 34: $total_pages = ceil($lognum / $index_lognum); 35: if ($page > $total_pages) { 36: $page = $total_pages; 37: } 38: $start_limit = ($page - 1) * $index_lognum; 39: $pageurl .= Url::author($author, 'page'); 40: 41: $Log_Model = new Log_Model(); 42: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 43: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 44: 45: include View::getView('header'); 46: include View::getView('log_list'); 47: }

.\include\controller\log_controller.php

等级	函数	说明
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $CACHE = Cache::getInstance(); 12: 13: $options_cache = Option::getAll(); 14: extract($options_cache); 15: 16: $page = isset($params[1]) && $params[1] == 'page' ? abs(intval($params[2])) : 1; 17: 18: $pageurl = ''; 19: $sqlSegment ='ORDER BY top DESC ,date DESC'; 20: $sta_cache = $CACHE->readCache('sta'); 21: $lognum = $sta_cache['lognum']; 22: $pageurl .= Url::logPage(); 23: $total_pages = ceil($lognum / $index_lognum); 24: if ($page > $total_pages) { 25: $page = $total_pages; 26: } 27: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 28: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 29: 30: include View::getView('header'); 31: include View::getView('log_list'); 32: }
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $CACHE = Cache::getInstance(); 12: 13: $options_cache = Option::getAll(); 14: extract($options_cache); 15: 16: $page = isset($params[1]) && $params[1] == 'page' ? abs(intval($params[2])) : 1; 17: 18: $pageurl = ''; 19: $sqlSegment ='ORDER BY top DESC ,date DESC'; 20: $sta_cache = $CACHE->readCache('sta'); 21: $lognum = $sta_cache['lognum']; 22: $pageurl .= Url::logPage(); 23: $total_pages = ceil($lognum / $index_lognum); 24: if ($page > $total_pages) { 25: $page = $total_pages; 26: } 27: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 28: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 29: 30: include View::getView('header'); 31: include View::getView('log_list'); 32: }
danger	displayContent	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 34: function displayContent($params) { 35: $comment_page = isset($params[4]) && $params[4] == 'comment-page' ? intval($params[5]) : 1; 36: 37: $Log_Model = new Log_Model(); 38: $CACHE = Cache::getInstance(); 39: 40: $options_cache = $CACHE->readCache('options'); 41: extract($options_cache); 42: 43: $logid = 0 ; 44: if (isset($params[1])) { 45: if ($params[1] == 'post') { 46: $logid = isset($params[2]) ? intval($params[2]) : 0; 47: } elseif (is_numeric($params[1])) { 48: $logid = intval($params[1]); 49: } else { 50: $logalias_cache = $CACHE->readCache('logalias'); 51: if (!empty($logalias_cache)) { 52: $alias = addslashes(urldecode(trim($params[1]))); 53: $logid = array_search($alias, $logalias_cache); 54: if (!$logid) { 55: show_404_page(); 56: } 57: } 58: } 59: } 60: 61: $Comment_Model = new Comment_Model(); 62: 63: $logData = $Log_Model->getOneLogForHome($logid); 64: if ($logData === false) { 65: show_404_page(); 66: } 67: extract($logData); 68: 69: if (!empty($password)) { 70: $postpwd = isset($_POST['logpwd']) ? addslashes(trim($_POST['logpwd'])) : ''; 71: $cookiepwd = isset($_COOKIE['em_logpwd_'.$logid]) ? addslashes(trim($_COOKIE['em_logpwd_'.$logid])) : ''; 72: $Log_Model->AuthPassword($postpwd, $cookiepwd, $password, $logid); 73: } 74: //meta 75: switch ($log_title_style) { 76: case '0': 77: $site_title = $log_title; 78: break; 79: case '1': 80: $site_title = $log_title . ' - ' . $blogname; 81: break; 82: case '2': 83: $site_title = $log_title . ' - ' . $site_title; 84: break; 85: } 86: $site_description = extractHtmlData($log_content, 90); 87: $log_cache_tags = $CACHE->readCache('logtags'); 88: if (!empty($log_cache_tags[$logid])) { 89: foreach ($log_cache_tags[$logid] as $value) { 90: $site_key .= ','.$value['tagname']; 91: } 92: } 93: //comments 94: $verifyCode = ISLOGIN == false && $comment_code == 'y' ? "<img src=\"".BLOG_URL."include/lib/checkcode.php\" align=\"absmiddle\" /><input name=\"imgcode\" type=\"text\" class=\"input\" size=\"5\" tabindex=\"5\" />" : ''; 95: $ckname = isset($_COOKIE['commentposter']) ? htmlspecialchars(stripslashes($_COOKIE['commentposter'])) : ''; 96: $ckmail = isset($_COOKIE['postermail']) ? htmlspecialchars($_COOKIE['postermail']) : ''; 97: $ckurl = isset($_COOKIE['posterurl']) ? htmlspecialchars($_COOKIE['posterurl']) : ''; 98: $comments = $Comment_Model->getComments(0, $logid, 'n', $comment_page); 99: 100: include View::getView('header'); 101: if ($type == 'blog') { 102: $Log_Model->updateViewCount($logid); 103: $neighborLog = $Log_Model->neighborLog($timestamp); 104: $tb = array();$tb_url = '';//兼容未删除引用模板 105: include View::getView('echo_log'); 106: }elseif ($type == 'page') { 107: $template = !empty($template) && file_exists(TEMPLATE_PATH . $template . '.php') ? $template : 'page'; 108: include View::getView($template); 109: } 110: }
danger	displayContent	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 34: function displayContent($params) { 35: $comment_page = isset($params[4]) && $params[4] == 'comment-page' ? intval($params[5]) : 1; 36: 37: $Log_Model = new Log_Model(); 38: $CACHE = Cache::getInstance(); 39: 40: $options_cache = $CACHE->readCache('options'); 41: extract($options_cache); 42: 43: $logid = 0 ; 44: if (isset($params[1])) { 45: if ($params[1] == 'post') { 46: $logid = isset($params[2]) ? intval($params[2]) : 0; 47: } elseif (is_numeric($params[1])) { 48: $logid = intval($params[1]); 49: } else { 50: $logalias_cache = $CACHE->readCache('logalias'); 51: if (!empty($logalias_cache)) { 52: $alias = addslashes(urldecode(trim($params[1]))); 53: $logid = array_search($alias, $logalias_cache); 54: if (!$logid) { 55: show_404_page(); 56: } 57: } 58: } 59: } 60: 61: $Comment_Model = new Comment_Model(); 62: 63: $logData = $Log_Model->getOneLogForHome($logid); 64: if ($logData === false) { 65: show_404_page(); 66: } 67: extract($logData); 68: 69: if (!empty($password)) { 70: $postpwd = isset($_POST['logpwd']) ? addslashes(trim($_POST['logpwd'])) : ''; 71: $cookiepwd = isset($_COOKIE['em_logpwd_'.$logid]) ? addslashes(trim($_COOKIE['em_logpwd_'.$logid])) : ''; 72: $Log_Model->AuthPassword($postpwd, $cookiepwd, $password, $logid); 73: } 74: //meta 75: switch ($log_title_style) { 76: case '0': 77: $site_title = $log_title; 78: break; 79: case '1': 80: $site_title = $log_title . ' - ' . $blogname; 81: break; 82: case '2': 83: $site_title = $log_title . ' - ' . $site_title; 84: break; 85: } 86: $site_description = extractHtmlData($log_content, 90); 87: $log_cache_tags = $CACHE->readCache('logtags'); 88: if (!empty($log_cache_tags[$logid])) { 89: foreach ($log_cache_tags[$logid] as $value) { 90: $site_key .= ','.$value['tagname']; 91: } 92: } 93: //comments 94: $verifyCode = ISLOGIN == false && $comment_code == 'y' ? "<img src=\"".BLOG_URL."include/lib/checkcode.php\" align=\"absmiddle\" /><input name=\"imgcode\" type=\"text\" class=\"input\" size=\"5\" tabindex=\"5\" />" : ''; 95: $ckname = isset($_COOKIE['commentposter']) ? htmlspecialchars(stripslashes($_COOKIE['commentposter'])) : ''; 96: $ckmail = isset($_COOKIE['postermail']) ? htmlspecialchars($_COOKIE['postermail']) : ''; 97: $ckurl = isset($_COOKIE['posterurl']) ? htmlspecialchars($_COOKIE['posterurl']) : ''; 98: $comments = $Comment_Model->getComments(0, $logid, 'n', $comment_page); 99: 100: include View::getView('header'); 101: if ($type == 'blog') { 102: $Log_Model->updateViewCount($logid); 103: $neighborLog = $Log_Model->neighborLog($timestamp); 104: $tb = array();$tb_url = '';//兼容未删除引用模板 105: include View::getView('echo_log'); 106: }elseif ($type == 'page') { 107: $template = !empty($template) && file_exists(TEMPLATE_PATH . $template . '.php') ? $template : 'page'; 108: include View::getView($template); 109: } 110: }
danger	displayContent	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 34: function displayContent($params) { 35: $comment_page = isset($params[4]) && $params[4] == 'comment-page' ? intval($params[5]) : 1; 36: 37: $Log_Model = new Log_Model(); 38: $CACHE = Cache::getInstance(); 39: 40: $options_cache = $CACHE->readCache('options'); 41: extract($options_cache); 42: 43: $logid = 0 ; 44: if (isset($params[1])) { 45: if ($params[1] == 'post') { 46: $logid = isset($params[2]) ? intval($params[2]) : 0; 47: } elseif (is_numeric($params[1])) { 48: $logid = intval($params[1]); 49: } else { 50: $logalias_cache = $CACHE->readCache('logalias'); 51: if (!empty($logalias_cache)) { 52: $alias = addslashes(urldecode(trim($params[1]))); 53: $logid = array_search($alias, $logalias_cache); 54: if (!$logid) { 55: show_404_page(); 56: } 57: } 58: } 59: } 60: 61: $Comment_Model = new Comment_Model(); 62: 63: $logData = $Log_Model->getOneLogForHome($logid); 64: if ($logData === false) { 65: show_404_page(); 66: } 67: extract($logData); 68: 69: if (!empty($password)) { 70: $postpwd = isset($_POST['logpwd']) ? addslashes(trim($_POST['logpwd'])) : ''; 71: $cookiepwd = isset($_COOKIE['em_logpwd_'.$logid]) ? addslashes(trim($_COOKIE['em_logpwd_'.$logid])) : ''; 72: $Log_Model->AuthPassword($postpwd, $cookiepwd, $password, $logid); 73: } 74: //meta 75: switch ($log_title_style) { 76: case '0': 77: $site_title = $log_title; 78: break; 79: case '1': 80: $site_title = $log_title . ' - ' . $blogname; 81: break; 82: case '2': 83: $site_title = $log_title . ' - ' . $site_title; 84: break; 85: } 86: $site_description = extractHtmlData($log_content, 90); 87: $log_cache_tags = $CACHE->readCache('logtags'); 88: if (!empty($log_cache_tags[$logid])) { 89: foreach ($log_cache_tags[$logid] as $value) { 90: $site_key .= ','.$value['tagname']; 91: } 92: } 93: //comments 94: $verifyCode = ISLOGIN == false && $comment_code == 'y' ? "<img src=\"".BLOG_URL."include/lib/checkcode.php\" align=\"absmiddle\" /><input name=\"imgcode\" type=\"text\" class=\"input\" size=\"5\" tabindex=\"5\" />" : ''; 95: $ckname = isset($_COOKIE['commentposter']) ? htmlspecialchars(stripslashes($_COOKIE['commentposter'])) : ''; 96: $ckmail = isset($_COOKIE['postermail']) ? htmlspecialchars($_COOKIE['postermail']) : ''; 97: $ckurl = isset($_COOKIE['posterurl']) ? htmlspecialchars($_COOKIE['posterurl']) : ''; 98: $comments = $Comment_Model->getComments(0, $logid, 'n', $comment_page); 99: 100: include View::getView('header'); 101: if ($type == 'blog') { 102: $Log_Model->updateViewCount($logid); 103: $neighborLog = $Log_Model->neighborLog($timestamp); 104: $tb = array();$tb_url = '';//兼容未删除引用模板 105: include View::getView('echo_log'); 106: }elseif ($type == 'page') { 107: $template = !empty($template) && file_exists(TEMPLATE_PATH . $template . '.php') ? $template : 'page'; 108: include View::getView($template); 109: } 110: }

.\include\controller\record_controller.php

等级	函数	说明
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $options_cache = Option::getAll(); 12: extract($options_cache); 13: 14: $page = isset($params[4]) && $params[4] == 'page' ? abs(intval($params[5])) : 1; 15: $record = isset($params[1]) && $params[1] == 'record' ? intval($params[2]) : '' ; 16: 17: $GLOBALS['record'] = $record;//for sidebar calendar 18: 19: 20: $pageurl = ''; 21: 22: //page meta 23: $site_title = $record . ' - ' . $site_title; 24: 25: if (preg_match("/^([\d]{4})([\d]{2})$/", $record, $match)) { 26: $days = getMonthDayNum($match[2], $match[1]); 27: $record_stime = emStrtotime($record . '01'); 28: $record_etime = $record_stime + 3600 * 24 * $days; 29: } else { 30: $record_stime = emStrtotime($record); 31: $record_etime = $record_stime + 3600 * 24; 32: } 33: $sqlSegment = "and date>=$record_stime and date<$record_etime order by date desc"; 34: $lognum = $Log_Model->getLogNum('n', $sqlSegment); 35: 36: $total_pages = ceil($lognum / $index_lognum); 37: if ($page > $total_pages) { 38: $page = $total_pages; 39: } 40: $start_limit = ($page - 1) * $index_lognum; 41: 42: $pageurl .= Url::record($record, 'page'); 43: 44: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 45: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 46: 47: include View::getView('header'); 48: include View::getView('log_list'); 49: }
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $options_cache = Option::getAll(); 12: extract($options_cache); 13: 14: $page = isset($params[4]) && $params[4] == 'page' ? abs(intval($params[5])) : 1; 15: $record = isset($params[1]) && $params[1] == 'record' ? intval($params[2]) : '' ; 16: 17: $GLOBALS['record'] = $record;//for sidebar calendar 18: 19: 20: $pageurl = ''; 21: 22: //page meta 23: $site_title = $record . ' - ' . $site_title; 24: 25: if (preg_match("/^([\d]{4})([\d]{2})$/", $record, $match)) { 26: $days = getMonthDayNum($match[2], $match[1]); 27: $record_stime = emStrtotime($record . '01'); 28: $record_etime = $record_stime + 3600 * 24 * $days; 29: } else { 30: $record_stime = emStrtotime($record); 31: $record_etime = $record_stime + 3600 * 24; 32: } 33: $sqlSegment = "and date>=$record_stime and date<$record_etime order by date desc"; 34: $lognum = $Log_Model->getLogNum('n', $sqlSegment); 35: 36: $total_pages = ceil($lognum / $index_lognum); 37: if ($page > $total_pages) { 38: $page = $total_pages; 39: } 40: $start_limit = ($page - 1) * $index_lognum; 41: 42: $pageurl .= Url::record($record, 'page'); 43: 44: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 45: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 46: 47: include View::getView('header'); 48: include View::getView('log_list'); 49: }

.\include\controller\search_controller.php

等级	函数	说明
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $options_cache = Option::getAll(); 12: extract($options_cache); 13: 14: $page = isset($params[4]) && $params[4] == 'page' ? abs(intval($params[5])) : 1; 15: $keyword = isset($params[1]) && $params[1] == 'keyword' ? trim($params[2]) : ''; 16: $keyword = addslashes(htmlspecialchars(urldecode($keyword))); 17: $keyword = str_replace(array('%', '_'), array('\%', '\_'), $keyword); 18: 19: 20: $pageurl = ''; 21: 22: $sqlSegment = "and title like '%{$keyword}%' order by date desc"; 23: $lognum = $Log_Model->getLogNum('n', $sqlSegment); 24: $total_pages = ceil($lognum / $index_lognum); 25: if ($page > $total_pages) { 26: $page = $total_pages; 27: } 28: 29: $pageurl .= BLOG_URL.'?keyword='.urlencode($keyword).'&page='; 30: 31: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 32: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 33: 34: include View::getView('header'); 35: include View::getView('log_list'); 36: }
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $options_cache = Option::getAll(); 12: extract($options_cache); 13: 14: $page = isset($params[4]) && $params[4] == 'page' ? abs(intval($params[5])) : 1; 15: $keyword = isset($params[1]) && $params[1] == 'keyword' ? trim($params[2]) : ''; 16: $keyword = addslashes(htmlspecialchars(urldecode($keyword))); 17: $keyword = str_replace(array('%', '_'), array('\%', '\_'), $keyword); 18: 19: 20: $pageurl = ''; 21: 22: $sqlSegment = "and title like '%{$keyword}%' order by date desc"; 23: $lognum = $Log_Model->getLogNum('n', $sqlSegment); 24: $total_pages = ceil($lognum / $index_lognum); 25: if ($page > $total_pages) { 26: $page = $total_pages; 27: } 28: 29: $pageurl .= BLOG_URL.'?keyword='.urlencode($keyword).'&page='; 30: 31: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 32: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 33: 34: include View::getView('header'); 35: include View::getView('log_list'); 36: }

.\include\controller\sort_controller.php

等级	函数	说明
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $CACHE = Cache::getInstance(); 12: $options_cache = Option::getAll(); 13: extract($options_cache); 14: 15: $page = isset($params[4]) && $params[4] == 'page' ? abs(intval($params[5])) : 1; 16: 17: $sortid = ''; 18: if (!empty($params[2])) { 19: if (is_numeric($params[2])) { 20: $sortid = intval($params[2]); 21: } else { 22: $sort_cache = $CACHE->readCache('sort'); 23: foreach ($sort_cache as $key => $value) { 24: $alias = addslashes(urldecode(trim($params[2]))); 25: if (array_search($alias, $value, true)){ 26: $sortid = $key; 27: break; 28: } 29: } 30: } 31: } 32: 33: 34: $pageurl = ''; 35: 36: $sort_cache = $CACHE->readCache('sort'); 37: if (!isset($sort_cache[$sortid])) { 38: show_404_page(); 39: } 40: $sort = $sort_cache[$sortid]; 41: $sortName = $sort['sortname']; 42: //page meta 43: $site_title = $sortName . ' - ' . $site_title; 44: if (!empty($sort_cache[$sortid]['description'])) { 45: $site_description = $sort_cache[$sortid]['description']; 46: } 47: if ($sort['pid'] != 0 \|\| empty($sort['children'])) { 48: $sqlSegment = "and sortid=$sortid"; 49: } else { 50: $sortids = array_merge(array($sortid), $sort['children']); 51: $sqlSegment = "and sortid in (" . implode(',', $sortids) . ")"; 52: } 53: $sqlSegment .= " order by sortop desc, date desc"; 54: $lognum = $Log_Model->getLogNum('n', $sqlSegment); 55: $total_pages = ceil($lognum / $index_lognum); 56: if ($page > $total_pages) { 57: $page = $total_pages; 58: } 59: $pageurl .= Url::sort($sortid, 'page'); 60: 61: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 62: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 63: 64: $template = !empty($sort['template']) && file_exists(TEMPLATE_PATH . $sort['template'] . '.php') ? $sort['template'] : 'log_list'; 65: 66: include View::getView('header'); 67: include View::getView($template); 68: }
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $CACHE = Cache::getInstance(); 12: $options_cache = Option::getAll(); 13: extract($options_cache); 14: 15: $page = isset($params[4]) && $params[4] == 'page' ? abs(intval($params[5])) : 1; 16: 17: $sortid = ''; 18: if (!empty($params[2])) { 19: if (is_numeric($params[2])) { 20: $sortid = intval($params[2]); 21: } else { 22: $sort_cache = $CACHE->readCache('sort'); 23: foreach ($sort_cache as $key => $value) { 24: $alias = addslashes(urldecode(trim($params[2]))); 25: if (array_search($alias, $value, true)){ 26: $sortid = $key; 27: break; 28: } 29: } 30: } 31: } 32: 33: 34: $pageurl = ''; 35: 36: $sort_cache = $CACHE->readCache('sort'); 37: if (!isset($sort_cache[$sortid])) { 38: show_404_page(); 39: } 40: $sort = $sort_cache[$sortid]; 41: $sortName = $sort['sortname']; 42: //page meta 43: $site_title = $sortName . ' - ' . $site_title; 44: if (!empty($sort_cache[$sortid]['description'])) { 45: $site_description = $sort_cache[$sortid]['description']; 46: } 47: if ($sort['pid'] != 0 \|\| empty($sort['children'])) { 48: $sqlSegment = "and sortid=$sortid"; 49: } else { 50: $sortids = array_merge(array($sortid), $sort['children']); 51: $sqlSegment = "and sortid in (" . implode(',', $sortids) . ")"; 52: } 53: $sqlSegment .= " order by sortop desc, date desc"; 54: $lognum = $Log_Model->getLogNum('n', $sqlSegment); 55: $total_pages = ceil($lognum / $index_lognum); 56: if ($page > $total_pages) { 57: $page = $total_pages; 58: } 59: $pageurl .= Url::sort($sortid, 'page'); 60: 61: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 62: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 63: 64: $template = !empty($sort['template']) && file_exists(TEMPLATE_PATH . $sort['template'] . '.php') ? $sort['template'] : 'log_list'; 65: 66: include View::getView('header'); 67: include View::getView($template); 68: }

.\include\controller\tag_controller.php

等级	函数	说明
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $options_cache = Option::getAll(); 12: extract($options_cache); 13: 14: $page = isset($params[4]) && $params[4] == 'page' ? abs(intval($params[5])) : 1; 15: $tag = isset($params[1]) && $params[1] == 'tag' ? addslashes(urldecode(trim($params[2]))) : ''; 16: 17: 18: $pageurl = ''; 19: 20: //page meta 21: $site_title = stripslashes($tag) . ' - ' . $site_title; 22: 23: $Tag_Model = new Tag_Model(); 24: $blogIdStr = $Tag_Model->getTagByName($tag); 25: 26: if ($blogIdStr === false) { 27: show_404_page(); 28: } 29: $sqlSegment = "and gid IN ($blogIdStr) order by date desc"; 30: $lognum = $Log_Model->getLogNum('n', $sqlSegment); 31: $total_pages = ceil($lognum / $index_lognum); 32: if ($page > $total_pages) { 33: $page = $total_pages; 34: } 35: $pageurl .= Url::tag(urlencode($tag), 'page'); 36: 37: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 38: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 39: 40: include View::getView('header'); 41: include View::getView('log_list'); 42: }
danger	display	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 9: function display($params) { 10: $Log_Model = new Log_Model(); 11: $options_cache = Option::getAll(); 12: extract($options_cache); 13: 14: $page = isset($params[4]) && $params[4] == 'page' ? abs(intval($params[5])) : 1; 15: $tag = isset($params[1]) && $params[1] == 'tag' ? addslashes(urldecode(trim($params[2]))) : ''; 16: 17: 18: $pageurl = ''; 19: 20: //page meta 21: $site_title = stripslashes($tag) . ' - ' . $site_title; 22: 23: $Tag_Model = new Tag_Model(); 24: $blogIdStr = $Tag_Model->getTagByName($tag); 25: 26: if ($blogIdStr === false) { 27: show_404_page(); 28: } 29: $sqlSegment = "and gid IN ($blogIdStr) order by date desc"; 30: $lognum = $Log_Model->getLogNum('n', $sqlSegment); 31: $total_pages = ceil($lognum / $index_lognum); 32: if ($page > $total_pages) { 33: $page = $total_pages; 34: } 35: $pageurl .= Url::tag(urlencode($tag), 'page'); 36: 37: $logs = $Log_Model->getLogsForHome($sqlSegment, $page, $index_lognum); 38: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 39: 40: include View::getView('header'); 41: include View::getView('log_list'); 42: }

.\include\lib\cache.php

等级	函数	说明
danger	updateCache	call_user_func第0个参数包含动态变量或函数，可能有远程代码执行的隐患
代码 49: function updateCache($cacheMethodName = null) { 50: // 更新单个缓存 51: if (is_string($cacheMethodName)) { 52: if (method_exists($this, 'mc_' . $cacheMethodName)) { 53: call_user_func(array($this, 'mc_' . $cacheMethodName)); 54: } 55: return; 56: } 57: // 更新多个缓存 58: if (is_array($cacheMethodName)) { 59: foreach ($cacheMethodName as $name) { 60: if (method_exists($this, 'mc_' . $name)) { 61: call_user_func(array($this, 'mc_' . $name)); 62: } 63: } 64: return; 65: } 66: // 更新全部缓存 67: if ($cacheMethodName == null) { 68: // 自动运行本类所有更新缓存的方法(此类方法的名称必须由mc_开头) 69: $cacheMethodNames = get_class_methods($this); 70: foreach ($cacheMethodNames as $method) { 71: if (preg_match('/^mc_/', $method)) { 72: call_user_func(array($this, $method)); 73: } 74: } 75: } 76: }
danger	updateCache	call_user_func第0个参数包含动态变量或函数，可能有远程代码执行的隐患
代码 49: function updateCache($cacheMethodName = null) { 50: // 更新单个缓存 51: if (is_string($cacheMethodName)) { 52: if (method_exists($this, 'mc_' . $cacheMethodName)) { 53: call_user_func(array($this, 'mc_' . $cacheMethodName)); 54: } 55: return; 56: } 57: // 更新多个缓存 58: if (is_array($cacheMethodName)) { 59: foreach ($cacheMethodName as $name) { 60: if (method_exists($this, 'mc_' . $name)) { 61: call_user_func(array($this, 'mc_' . $name)); 62: } 63: } 64: return; 65: } 66: // 更新全部缓存 67: if ($cacheMethodName == null) { 68: // 自动运行本类所有更新缓存的方法(此类方法的名称必须由mc_开头) 69: $cacheMethodNames = get_class_methods($this); 70: foreach ($cacheMethodNames as $method) { 71: if (preg_match('/^mc_/', $method)) { 72: call_user_func(array($this, $method)); 73: } 74: } 75: } 76: }
danger	updateCache	call_user_func第0个参数包含动态变量或函数，可能有远程代码执行的隐患
代码 49: function updateCache($cacheMethodName = null) { 50: // 更新单个缓存 51: if (is_string($cacheMethodName)) { 52: if (method_exists($this, 'mc_' . $cacheMethodName)) { 53: call_user_func(array($this, 'mc_' . $cacheMethodName)); 54: } 55: return; 56: } 57: // 更新多个缓存 58: if (is_array($cacheMethodName)) { 59: foreach ($cacheMethodName as $name) { 60: if (method_exists($this, 'mc_' . $name)) { 61: call_user_func(array($this, 'mc_' . $name)); 62: } 63: } 64: return; 65: } 66: // 更新全部缓存 67: if ($cacheMethodName == null) { 68: // 自动运行本类所有更新缓存的方法(此类方法的名称必须由mc_开头) 69: $cacheMethodNames = get_class_methods($this); 70: foreach ($cacheMethodNames as $method) { 71: if (preg_match('/^mc_/', $method)) { 72: call_user_func(array($this, $method)); 73: } 74: } 75: } 76: }
danger	readCache	call_user_func第0个参数包含动态变量或函数，可能有远程代码执行的隐患
代码 519: function readCache($cacheName) { 520: if ($this->{$cacheName.'_cache'} != null) { 521: return $this->{$cacheName.'_cache'}; 522: } else { 523: $cachefile = EMLOG_ROOT . '/content/cache/' . $cacheName . '.php'; 524: // 如果缓存文件不存在则自动生成缓存文件 525: if (!is_file($cachefile) \|\| filesize($cachefile) <= 0) { 526: if (method_exists($this, 'mc_' . $cacheName)) { 527: call_user_func(array($this, 'mc_' . $cacheName)); 528: } 529: } 530: if ($fp = fopen($cachefile, 'r')) { 531: $data = fread($fp, filesize($cachefile)); 532: fclose($fp); 533: clearstatcache(); 534: $this->{$cacheName.'_cache'} = unserialize(str_replace("<?php exit;//", '', $data)); 535: return $this->{$cacheName.'_cache'}; 536: } 537: } 538: }

.\include\lib\dispatcher.php

等级	函数	说明
warning	dispatch	动态创建类对象，可能存在远程代码执行的隐患
代码 74: public function dispatch(){ 75: $module = new $this->_model(); 76: $method = $this->_method; 77: $module->$method($this->_params); 78: }
danger	dispatch	动态调用方法，可能存在远程代码执行的隐患
代码 74: public function dispatch(){ 75: $module = new $this->_model(); 76: $method = $this->_method; 77: $module->$method($this->_params); 78: }

.\include\lib\function.base.php

等级	函数	说明
danger	extractHtmlData	preg_replace第一个参数不是静态字符串，可能存在远程代码执行的隐患
代码 176:function extractHtmlData($data, $len) { 177: $data = strip_tags(subString($data, 0, $len + 30)); 178: $search = array("/([\r\n])[\s]+/", // 去掉空白字符 179: "/&(quot\|#34);/i", // 替换 HTML 实体 180: "/&(amp\|#38);/i", 181: "/&(lt\|#60);/i", 182: "/&(gt\|#62);/i", 183: "/&(nbsp\|#160);/i", 184: "/&(iexcl\|#161);/i", 185: "/&(cent\|#162);/i", 186: "/&(pound\|#163);/i", 187: "/&(copy\|#169);/i", 188: "/\"/i", 189: ); 190: $replace = array(" ", "\"", "&", " ", " ", "", chr(161), chr(162), chr(163), chr(169), ""); 191: $data = trim(subString(preg_replace($search, $replace, $data), 0, $len)); 192: return $data; 193:}
danger	doAction	call_user_func_array第0个参数包含动态变量或函数，可能有远程代码执行的隐患
代码 272:function doAction($hook) { 273: global $emHooks; 274: $args = array_slice(func_get_args(), 1); 275: if (isset($emHooks[$hook])) { 276: foreach ($emHooks[$hook] as $function) { 277: $string = call_user_func_array($function, $args); 278: } 279: } 280:}
danger	show_404_page	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 926:function show_404_page() { 927: if (is_file(TEMPLATE_PATH . '404.php')) { 928: header("HTTP/1.1 404 Not Found"); 929: include View::getView('404'); 930: exit; 931: } else { 932: emMsg('404', BLOG_URL); 933: } 934:}
danger	hash_hmac	动态调用函数，可能存在远程代码执行的隐患
代码 962: function hash_hmac($algo, $data, $key) { 963: $packs = array('md5' => 'H32', 'sha1' => 'H40'); 964: 965: if (!isset($packs[$algo])) { 966: return false; 967: } 968: 969: $pack = $packs[$algo]; 970: 971: if (strlen($key) > 64) { 972: $key = pack($pack, $algo($key)); 973: } elseif (strlen($key) < 64) { 974: $key = str_pad($key, 64, chr(0)); 975: } 976: 977: $ipad = (substr($key, 0, 64) ^ str_repeat(chr(0x36), 64)); 978: $opad = (substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64)); 979: 980: return $algo($opad . pack($pack, $algo($ipad . $data))); 981: }
danger	hash_hmac	动态调用函数，可能存在远程代码执行的隐患
代码 962: function hash_hmac($algo, $data, $key) { 963: $packs = array('md5' => 'H32', 'sha1' => 'H40'); 964: 965: if (!isset($packs[$algo])) { 966: return false; 967: } 968: 969: $pack = $packs[$algo]; 970: 971: if (strlen($key) > 64) { 972: $key = pack($pack, $algo($key)); 973: } elseif (strlen($key) < 64) { 974: $key = str_pad($key, 64, chr(0)); 975: } 976: 977: $ipad = (substr($key, 0, 64) ^ str_repeat(chr(0x36), 64)); 978: $opad = (substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64)); 979: 980: return $algo($opad . pack($pack, $algo($ipad . $data))); 981: }
danger	hash_hmac	动态调用函数，可能存在远程代码执行的隐患
代码 962: function hash_hmac($algo, $data, $key) { 963: $packs = array('md5' => 'H32', 'sha1' => 'H40'); 964: 965: if (!isset($packs[$algo])) { 966: return false; 967: } 968: 969: $pack = $packs[$algo]; 970: 971: if (strlen($key) > 64) { 972: $key = pack($pack, $algo($key)); 973: } elseif (strlen($key) < 64) { 974: $key = str_pad($key, 64, chr(0)); 975: } 976: 977: $ipad = (substr($key, 0, 64) ^ str_repeat(chr(0x36), 64)); 978: $opad = (substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64)); 979: 980: return $algo($opad . pack($pack, $algo($ipad . $data))); 981: }

.\include\lib\loginauth.php

等级	函数	说明
danger	loginPage	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 68: public static function loginPage($errorCode = NULL) { 69: Option::get('login_code') == 'y' ? 70: $ckcode = "<span>验证码</span> 71: <div class=\"val\"><input name=\"imgcode\" id=\"imgcode\" type=\"text\" /> 72: <img src=\"../include/lib/checkcode.php\" align=\"absmiddle\"></div>" : 73: $ckcode = ''; 74: $error_msg = ''; 75: if ($errorCode) { 76: switch ($errorCode) { 77: case self::LOGIN_ERROR_AUTHCODE: 78: $error_msg = '验证错误，请重新输入'; 79: break; 80: case self::LOGIN_ERROR_USER: 81: $error_msg = '用户名错误，请重新输入'; 82: break; 83: case self::LOGIN_ERROR_PASSWD: 84: $error_msg = '密码错误，请重新输入'; 85: break; 86: } 87: } 88: require_once View::getView('login'); 89: View::output(); 90: }

等级

函数

说明

danger

loginPage

文件包含操作存在动态变量或函数，可能有远程代码执行的隐患

代码

68:    public static function loginPage($errorCode = NULL) {
69:        Option::get('login_code') == 'y' ?
70:        $ckcode = "<span>验证码</span>
71:        <div class=\"val\"><input name=\"imgcode\" id=\"imgcode\" type=\"text\" />
72:        <img src=\"../include/lib/checkcode.php\" align=\"absmiddle\"></div>" :
73:        $ckcode = '';
74:        $error_msg = '';
75:        if ($errorCode) {
76:            switch ($errorCode) {
77:                case self::LOGIN_ERROR_AUTHCODE:
78:                    $error_msg = '验证错误，请重新输入';
79:                    break;
80:                case self::LOGIN_ERROR_USER:
81:                    $error_msg = '用户名错误，请重新输入';
82:                    break;
83:                case self::LOGIN_ERROR_PASSWD:
84:                    $error_msg = '密码错误，请重新输入';
85:                    break;
86:            }
87:        }
88:        require_once View::getView('login');

89:        View::output();
90:    }

.\include\model\plugin_model.php

等级	函数	说明
danger	activePlugin	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 19: function activePlugin($plugin) { 20: $active_plugins = Option::get('active_plugins'); 21: 22: $ret = false; 23: 24: if (in_array($plugin, $active_plugins)) { 25: $ret = true; 26: } elseif(true === checkPlugin($plugin)) { 27: $active_plugins[] = $plugin; 28: $active_plugins = serialize($active_plugins); 29: Option::updateOption('active_plugins', $active_plugins); 30: $ret = true; 31: } else { 32: $ret = false; 33: } 34: 35: //run init callback functions 36: $r = explode('/', $plugin, 2); 37: $plugin = $r[0]; 38: $callback_file = "../content/plugins/$plugin/{$plugin}_callback.php"; 39: if (true === $ret && file_exists($callback_file)) { 40: require_once $callback_file; 41: if (function_exists('callback_init')) { 42: callback_init(); 43: } 44: } 45: return $ret; 46: }
danger	inactivePlugin	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 51: function inactivePlugin($plugin) { 52: $active_plugins = Option::get('active_plugins'); 53: if (in_array($plugin, $active_plugins)) { 54: $key = array_search($plugin, $active_plugins); 55: unset($active_plugins[$key]); 56: } else { 57: return; 58: } 59: $active_plugins = serialize($active_plugins); 60: Option::updateOption('active_plugins', $active_plugins); 61: 62: //run remove callback functions 63: $r = explode('/', $plugin, 2); 64: $plugin = $r[0]; 65: $callback_file = "../content/plugins/$plugin/{$plugin}_callback.php"; 66: if (file_exists($callback_file)) { 67: require_once $callback_file; 68: if (function_exists('callback_rm')) { 69: callback_rm(); 70: } 71: } 72: }

.\init.php

等级

函数

说明

danger

文件包含操作存在动态变量或函数，可能有远程代码执行的隐患

代码

43:$active_plugins = Option::get('active_plugins');
44:$emHooks = array();
45:if ($active_plugins && is_array($active_plugins)) {
46:	foreach($active_plugins as $plugin) {
47:		if(true === checkPlugin($plugin)) {
48:			include_once(EMLOG_ROOT . '/content/plugins/' . $plugin);

49:		}
50:	}
51:}
52:

.\m\index.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 32: $lognum = $sta_cache['lognum']; 33: $pageurl = './?page='; 34: $logs = $Log_Model->getLogsForHome ($sqlSegment, $page, $index_lognum); 35: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 36: 37: include View::getView('header'); 38: include View::getView('log'); 39: include View::getView('footer'); 40: View::output(); 41:} 42:// 文章
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 33: $pageurl = './?page='; 34: $logs = $Log_Model->getLogsForHome ($sqlSegment, $page, $index_lognum); 35: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 36: 37: include View::getView('header'); 38: include View::getView('log'); 39: include View::getView('footer'); 40: View::output(); 41:} 42:// 文章 43:if (!empty ($logid)) {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 34: $logs = $Log_Model->getLogsForHome ($sqlSegment, $page, $index_lognum); 35: $page_url = pagination($lognum, $index_lognum, $page, $pageurl); 36: 37: include View::getView('header'); 38: include View::getView('log'); 39: include View::getView('footer'); 40: View::output(); 41:} 42:// 文章 43:if (!empty ($logid)) { 44: $Log_Model = new Log_Model();
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 61: $verifyCode = ISLOGIN == false && Option::get('comment_code') == 'y' ? "<img src=\"../include/lib/checkcode.php\" /><br /><input name=\"imgcode\" type=\"text\" />" : ''; 62: $comments = $Comment_Model->getComments(2, $logid, 'n', $commentPage); 63: extract($comments); 64: 65: $Log_Model->updateViewCount($logid); 66: include View::getView('header'); 67: include View::getView('single'); 68: include View::getView('footer'); 69: View::output(); 70:} 71:if (ISLOGIN === true && $action == 'write') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 62: $comments = $Comment_Model->getComments(2, $logid, 'n', $commentPage); 63: extract($comments); 64: 65: $Log_Model->updateViewCount($logid); 66: include View::getView('header'); 67: include View::getView('single'); 68: include View::getView('footer'); 69: View::output(); 70:} 71:if (ISLOGIN === true && $action == 'write') { 72: $logid = isset($_GET['id']) ? intval($_GET['id']) : '';
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 63: extract($comments); 64: 65: $Log_Model->updateViewCount($logid); 66: include View::getView('header'); 67: include View::getView('single'); 68: include View::getView('footer'); 69: View::output(); 70:} 71:if (ISLOGIN === true && $action == 'write') { 72: $logid = isset($_GET['id']) ? intval($_GET['id']) : ''; 73: $Sort_Model = new Sort_Model();
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 91: $tagStr = ''; 92: $logid = -1; 93: $author = UID; 94: $date = ''; 95: } 96: include View::getView('header'); 97: include View::getView('write'); 98: include View::getView('footer'); 99: View::output(); 100:} 101:if (ISLOGIN === true && $action == 'savelog') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 92: $logid = -1; 93: $author = UID; 94: $date = ''; 95: } 96: include View::getView('header'); 97: include View::getView('write'); 98: include View::getView('footer'); 99: View::output(); 100:} 101:if (ISLOGIN === true && $action == 'savelog') { 102: $Log_Model = new Log_Model();
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 93: $author = UID; 94: $date = ''; 95: } 96: include View::getView('header'); 97: include View::getView('write'); 98: include View::getView('footer'); 99: View::output(); 100:} 101:if (ISLOGIN === true && $action == 'savelog') { 102: $Log_Model = new Log_Model(); 103: $Tag_Model = new Tag_Model();
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 232: if(!$commentArray) { 233: mMsg('参数错误', './'); 234: } 235: extract($commentArray); 236: $verifyCode = ISLOGIN == false && Option::get('comment_code') == 'y' ? "<img src=\"../include/lib/checkcode.php\" /><br /><input name=\"imgcode\" type=\"text\" />" : ''; 237: include View::getView('header'); 238: include View::getView('reply'); 239: include View::getView('footer'); 240: View::output(); 241:} 242:// 微语
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 233: mMsg('参数错误', './'); 234: } 235: extract($commentArray); 236: $verifyCode = ISLOGIN == false && Option::get('comment_code') == 'y' ? "<img src=\"../include/lib/checkcode.php\" /><br /><input name=\"imgcode\" type=\"text\" />" : ''; 237: include View::getView('header'); 238: include View::getView('reply'); 239: include View::getView('footer'); 240: View::output(); 241:} 242:// 微语 243:if ($action == 'tw' && Option::get('istwitter') == 'y') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 234: } 235: extract($commentArray); 236: $verifyCode = ISLOGIN == false && Option::get('comment_code') == 'y' ? "<img src=\"../include/lib/checkcode.php\" /><br /><input name=\"imgcode\" type=\"text\" />" : ''; 237: include View::getView('header'); 238: include View::getView('reply'); 239: include View::getView('footer'); 240: View::output(); 241:} 242:// 微语 243:if ($action == 'tw' && Option::get('istwitter') == 'y') { 244: $Twitter_Model = new Twitter_Model();
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 246: $tws = $Twitter_Model->getTwitters($page); 247: $twnum = $Twitter_Model->getTwitterNum(); 248: $pageurl = pagination($twnum, Option::get('index_twnum'), $page, './?action=tw&page='); 249: $site_title = '微语'; 250: 251: include View::getView('header'); 252: include View::getView('twitter'); 253: include View::getView('footer'); 254: View::output(); 255:} 256:if (ROLE === ROLE_ADMIN && $action == 't') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 247: $twnum = $Twitter_Model->getTwitterNum(); 248: $pageurl = pagination($twnum, Option::get('index_twnum'), $page, './?action=tw&page='); 249: $site_title = '微语'; 250: 251: include View::getView('header'); 252: include View::getView('twitter'); 253: include View::getView('footer'); 254: View::output(); 255:} 256:if (ROLE === ROLE_ADMIN && $action == 't') { 257: LoginAuth::checkToken();
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 248: $pageurl = pagination($twnum, Option::get('index_twnum'), $page, './?action=tw&page='); 249: $site_title = '微语'; 250: 251: include View::getView('header'); 252: include View::getView('twitter'); 253: include View::getView('footer'); 254: View::output(); 255:} 256:if (ROLE === ROLE_ADMIN && $action == 't') { 257: LoginAuth::checkToken(); 258: $Twitter_Model = new Twitter_Model();
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 304:if ($action == 'login') { 305: Option::get('login_code') == 'y' ? $ckcode = "<span>验证码</span> 306: <div class=\"val\"><img src=\"../include/lib/checkcode.php\" /><br /> 307: <input name=\"imgcode\" id=\"imgcode\" type=\"text\" /> 308: </div>" : $ckcode = ''; 309: include View::getView('header'); 310: include View::getView('login'); 311: include View::getView('footer'); 312: View::output(); 313:} 314:if ($action == 'auth') {
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 305: Option::get('login_code') == 'y' ? $ckcode = "<span>验证码</span> 306: <div class=\"val\"><img src=\"../include/lib/checkcode.php\" /><br /> 307: <input name=\"imgcode\" id=\"imgcode\" type=\"text\" /> 308: </div>" : $ckcode = ''; 309: include View::getView('header'); 310: include View::getView('login'); 311: include View::getView('footer'); 312: View::output(); 313:} 314:if ($action == 'auth') { 315: session_start();
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 306: <div class=\"val\"><img src=\"../include/lib/checkcode.php\" /><br /> 307: <input name=\"imgcode\" id=\"imgcode\" type=\"text\" /> 308: </div>" : $ckcode = ''; 309: include View::getView('header'); 310: include View::getView('login'); 311: include View::getView('footer'); 312: View::output(); 313:} 314:if ($action == 'auth') { 315: session_start(); 316: $username = addslashes(trim($_POST['user']));
danger	mMsg	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 331:function mMsg($msg, $url) { 332: include View::getView('header'); 333: include View::getView('msg'); 334: include View::getView('footer'); 335: View::output(); 336:}
danger	mMsg	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 331:function mMsg($msg, $url) { 332: include View::getView('header'); 333: include View::getView('msg'); 334: include View::getView('footer'); 335: View::output(); 336:}
danger	mMsg	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 331:function mMsg($msg, $url) { 332: include View::getView('header'); 333: include View::getView('msg'); 334: include View::getView('footer'); 335: View::output(); 336:}
danger	authPassword	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 337:function authPassword($postPwd, $cookiePwd, $logPwd, $logid) { 338: $pwd = $cookiePwd ? $cookiePwd : $postPwd; 339: if ($pwd !== addslashes($logPwd)) { 340: include View::getView('header'); 341: include View::getView('logauth'); 342: include View::getView('footer'); 343: if ($cookiePwd) { 344: setcookie('em_logpwd_' . $logid, ' ', time() - 31536000); 345: } 346: View::output(); 347: }else { 348: setcookie('em_logpwd_' . $logid, $logPwd); 349: } 350:}
danger	authPassword	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 337:function authPassword($postPwd, $cookiePwd, $logPwd, $logid) { 338: $pwd = $cookiePwd ? $cookiePwd : $postPwd; 339: if ($pwd !== addslashes($logPwd)) { 340: include View::getView('header'); 341: include View::getView('logauth'); 342: include View::getView('footer'); 343: if ($cookiePwd) { 344: setcookie('em_logpwd_' . $logid, ' ', time() - 31536000); 345: } 346: View::output(); 347: }else { 348: setcookie('em_logpwd_' . $logid, $logPwd); 349: } 350:}
danger	authPassword	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 337:function authPassword($postPwd, $cookiePwd, $logPwd, $logid) { 338: $pwd = $cookiePwd ? $cookiePwd : $postPwd; 339: if ($pwd !== addslashes($logPwd)) { 340: include View::getView('header'); 341: include View::getView('logauth'); 342: include View::getView('footer'); 343: if ($cookiePwd) { 344: setcookie('em_logpwd_' . $logid, ' ', time() - 31536000); 345: } 346: View::output(); 347: }else { 348: setcookie('em_logpwd_' . $logid, $logPwd); 349: } 350:}

.\t\index.php

等级	函数	说明
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 33: $avatar = empty($user_cache[UID]['avatar']) ? '../admin/views/images/avatar.jpg' : '../' . $user_cache[UID]['avatar']; 34: $rcode = Option::get('reply_code') == 'y' ? "<img src=\"".DYNAMIC_BLOGURL."?action=ckcode&mode=t\" />" : ''; 35: 36: $site_title = $Navi_Model->getNaviNameByType(Navi_Model::navitype_t) . ' - ' . $site_title; 37: 38: include View::getView('header'); 39: require_once View::getView('t'); 40: View::output(); 41:} 42: 43:// 获取回复
danger	-	文件包含操作存在动态变量或函数，可能有远程代码执行的隐患
代码 34: $rcode = Option::get('reply_code') == 'y' ? "<img src=\"".DYNAMIC_BLOGURL."?action=ckcode&mode=t\" />" : ''; 35: 36: $site_title = $Navi_Model->getNaviNameByType(Navi_Model::navitype_t) . ' - ' . $site_title; 37: 38: include View::getView('header'); 39: require_once View::getView('t'); 40: View::output(); 41:} 42: 43:// 获取回复 44:if ($action == 'getr') {

.\xmlrpc.php

等级	函数	说明
danger	-	preg_replace第一个参数不是静态字符串，可能存在远程代码执行的隐患
代码 63:$data = $HTTP_RAW_POST_DATA; 64: 65:$current_tag_contents = $current_tag = $message_type = $method_name = null; 66:$array_structs_types = $array_structs = $current_struct_name_array = $params = array(); 67: 68:$data = preg_replace('/<\?xml.*?\?' . '>/', '', $data); 69:if (trim($data) == '') { 70: error_message(500, '错误:提交数据内容为空'); 71:} 72:// 兼容php libxml模块2.7.0-2.7.3版本解析xml丢失html标签括号的bug 73:if (in_array(LIBXML_DOTTED_VERSION, array('2.7.0', '2.7.1', '2.7.2', '2.7.3'))) {
danger	-	call_user_func第0个参数包含动态变量或函数，可能有远程代码执行的隐患
代码 82: die; 83:} 84:xml_parser_free($parser); 85:if (!array_key_exists($method_name, $api_methods)) die('unknow request'); 86: 87:call_user_func($api_methods[$method_name], $params); 88: 89:/** 90: * 读取站点信息 91: */ 92:function blogger_getUsersBlogs() {