代码拉取完成,页面将自动刷新
after the member logged in ,he can change his message, such as avatar,nickname.and we go to the file application\api\controller\User.php
in the function of profile
public function profile()
{
$user = $this->auth->getUser();
$username = $this->request->request('username');
$nickname = $this->request->request('nickname');
$bio = $this->request->request('bio');
$avatar = $this->request->request('avatar');
$exists = \app\common\model\User::where('username', $username)->where('id', '<>', $this->auth->id)->find();
if ($exists)
{
$this->error(__('Username already exists'));
}
$user->username = $username;
$user->nickname = $nickname;
$user->bio = $bio;
$user->avatar = $avatar;
$user->save();
$this->success();
}
there may no restrictions.we can control the value of avatar.
then the member go to the url 'http://yoursite/public/index/user/profile.html'
and After the administrator logged in,if he double-click the member's avatar
or request the url of 'http://yoursite/public/admin/user/user/edit/ids/2?dialog=1' will trigger the vulnerability