in punbb-1.2.12 search.php line 54:
1 if (isset($search_id)) unset($search_id);
2
3 // If a search_id was supplied
4 if (isset($_GET['search_id']))
5 {
6 $search_id = intval($_GET['search_id']);
7 if ($search_id < 1)
8 message($lang_common['Bad request']);
9 }
10
11 // ......
12 // something not effect
13 // ......
14 // ......
15 // and in line 100:
16
17 if (isset($search_id))
18 {
19 $ident = ($pun_user['is_guest']) ? get_remote_address() : $pun_user['username'];
20
21 $result = $db->query('SELECT search_data FROM '.$db->prefix.'search_cache WHERE id='.$search_id.' AND ident=\''.$db->escape($ident).'\'') or error('Unable to fetch search results', __FILE__, __LINE__, $db->error());
22
Can you guys realize something?
Yes, you are right.
We can use $_POST[search_id] with the Zend_Hash_Del_Key_Or_Index Vulnerability to exploit it!
But in fact,in common.php line 39:
1 // Reverse the effect of register_globals
2 if (@ini_get('register_globals'))
3 unregister_globals();
4
I hate punbb....