Taobao (淘寶) Security Hole? PHP Code Exposed!

By admin, December 13, 2012 6:53 pm

This is so strange when I typed in “18 Mulsanne” in Taobao today and suddenly the result page turns into raw PHP code, it must be a serious security hole somewhere, probably it’s server got hacked. However, consequence searches all return normal result, just wired!

<?php

include "common.inc.php";
include "{$ROOT}/common/base32.inc.php";
$location_url = "/search?";
if ((isset($_SERVER["SCRIPT_NAME"]) && $_SERVER["SCRIPT_NAME"] ===
"/browse/search_auction.htm") || isset($_GET["taoke_from"])
&& $_GET["taoke_from"] === "search_auction") {
    foreach ($_GET as $k => $v) {
        if (!empty($v) && array_key_exists($k, $PARAMS)) {
            if (in_array($k, array('q', 'loc'))) {
                if (isset($_GET["_input_charset"]) && $_GET["_input_charset"]
=== 'utf-8') {
                    $v = urlencode(iconv('UTF-8', 'GBK', $v));
                } else {
                    $v = urlencode($v);
                }
            }
            $location_url .= $k . "=" . trim($v) . "&";
        }
    }
    $location_url = rtrim($location_url, '&');
    header("Location:$location_url");
    exit();
}
if (($_GET["cat"] <> "
...

Leave a Reply