We are using
Affected systems:
PHP PHP <= 5.3
PHP preg_match() function description:
PHP is a widely used general-purpose scripting language, especially suitable for Web development and can be embedded into HTML.
The preg_match() function used by PHP obtains parameters from the user input string. If the value passed is an array instead of a string, a warning will be generated. The warning message contains the full path of the currently running script.
<ol class="dp-xml"><li class="alt"><span><span class="tag">< </span><span>*来源:David Vieira-Kurz </span></span></li><li><span>链接:http://marc.info/?</span><span class="attribute">l</span><span>=</span><span class="attribute-value">bugtraq<br /></span><span>&</span><span class="attribute">m</span><span>=</span><span class="attribute-value">125415056222332</span><span>&</span><span class="attribute">w</span><span>=</span><span class="attribute-value">2</span><span> </span></li><li class="alt"><span>*</span><span class="tag">><span> </span></p> <p></p> <p><strong>PHP preg_match() function test method: </strong></p> <p>Temporary solution: </p> <p></p> <pre class="brush:php;toolbar:false"><ol class="dp-xml"><li class="alt"><span><span class="tag"><</span><span> ?PHP </span></span></li><li><span>if(isset($_GET['page'])) { </span></li><li class="alt"><span>if (is_array($</span><span class="attribute">page</span><span> = $_GET['page'])) { </span></li><li><span>$</span><span class="attribute">casted</span><span> = (string)$page; </span></li><li class="alt"><span>} else { </span></li><li><span>$</span><span class="attribute">page</span><span> = </span><span class="attribute-value">htmlspecialchars</span><span>($_GET<br />['page'],ENT_QUOTES,'UTF-8'); </span></li><li class="alt"><span>validate_alpha($page); </span></li><li><span>} </span></li><li class="alt"><span>} </span></li><li><span>function validate_alpha($page) { </span></li><li class="alt"><span>return preg_match("/^[A-Za-z0-9_-]<br />+$/ ", $page); </span></li><li><span>} </span><span class="tag">?></span><span> </span></span></li></ol>
Manufacturer patch:
Currently, the manufacturer has not provided relevant patches or upgrades for the vulnerability in the PHP preg_match() function. We recommend using this software. Users always pay attention to the manufacturer's homepage to get the latest version:
http://www.php.net
http://localhost/cms/modules/system/admin.php?fct= users&op[]=
Warning: preg_match() expects parameter 2 to be string, array given in /htdocs/cms/include/common.php on line 105