微擎1.5.4任意用户删除漏洞涉及文件:web/source/founder/display.ctrl.php代码权限控制存在漏洞导致攻击者可任意删除用户。修复方法:$founders = explode(',', $_W['config']['setting']['founder']);在以上代码下面 增加如下代码:$identity = uni_permission($_W['uid']);
if ($identity != ACCOUNT_MANAGE_NAME_FOUNDER && $identity != ACCOUNT_MANAGE_NAME_VICE_FOUNDER) {
itoast('非法访问!', referer(), 'error');
}微擎...