用dedecms做了个企业站,阿里云报了很多漏洞。解决方法如下:
1、/member/mtypes.php,注入漏洞。
foreach ($mtypename as $id => $name) { $name = HtmlReplace($name); /*对id进行规范化处理*/ $id = intval($id); $query = "UPDATE `#@__mtypes` SET mtypename='$name' WHERE mtypeid='$id' AND mid='$cfg_ml->M_ID'"; $dsql->ExecuteNoneQuery($query); }
2、/member/pm.php,注入漏洞。
else if($dopost=='read') { $sql = "SELECT * FROM `#@__member_friends` WHERE mid='{$cfg_ml->M_ID}' AND ftype!='-1' ORDER BY addtime DESC LIMIT 20"; $friends = array(); $dsql->SetQuery($sql); $dsql->Execute(); while ($row = $dsql->GetArray()) { $friends[] = $row; } /*对id规范化处理*/ $id = intval($id); $row = $dsql->GetOne("SELECT * FROM `#@__member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}')"); if(!is_array($row)) { ShowMsgEx('对不起,你指定的消息不存在或你没权限查看!',"", 1); exit(); } $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml->M_ID}'"); $dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml->M_ID}'"); include_once(dirname(__FILE__).'/templets/pm-read.htm'); exit(); }
3 、/member/article_add.php,cookies泄露导致sql漏洞。
/*cookies泄露导致sql漏洞*/ if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode) && $dede_fieldshash !=md5($dede_addonfields.'anythingelse'.$cfg_cookie_encode)) { ShowMsgEx('数据校验不对', "", 1); exit(); }
4、/member/inc/inc_archives_functions.php,cookies泄露导致sql漏洞
echo "< input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields.$cfg_cookie_encode)."\" />";
替换为:
echo "< input type="\"hidden\"" name="\"dede_fieldshash\"" value="\"".md5($dede_addonfields."wkwkk.com".$cfg_cookie_encode)."\""/>";
批量搜索
$formfields.$cfg_cookie_encode
将
$formfields.$cfg_cookie_encode
替换为
$formfields."dls6.com".$cfg_cookie_encode
5、/plus/guestbook/edit.inc.php,dedecms注入漏洞
$msg = HtmlReplace($msg, -1); /* 对$msg进行有效过滤 */ $msg = addslashes($msg); $dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' "); ShowMsgEx("成功更改或回复一条留言!", $GUEST_BOOK_POS,1); exit();
6、/member/soft_add.php,dedecms模板sql注入漏洞,154行附近。
if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; }
替换为
if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; }
7、/include/dialog/select_soft_post.php,dedecms任意文件上传漏洞,72行附近。
/*文件类型过滤*/ if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!",'javascript:;'); exit(); } $fullfilename = $cfg_basedir.$activepath.'/'.$filename; $fullfileurl = $activepath.'/'.$filename;
8、/include/uploadsafe.inc.php,dedecms上传漏洞。
foreach($_FILES as $_key=>$_value) { foreach($keyarr as $k) { if(!isset($_FILES[$_key][$k])) { exit('Request Error!'); } } if( preg_match('#^(cfg_|GLOBALS)#', $_key) ) { exit('Request var not allow for uploadsafe!'); } $$_key = $_FILES[$_key]['tmp_name']; ${$_key.'_name'} = $_FILES[$_key]['name']; ${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); ${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']); if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) { if(!defined('DEDEADMIN')) { exit('Not Admin Upload filetype not allow !'); } } if(empty(${$_key.'_size'})) { ${$_key.'_size'} = @filesize($$_key); } $imtypes = array ( "image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp" ); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd ==false){continue;} if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } } }
9、/include/common.inc.php,SESSION变量覆盖导致sql注入。
foreach(Array('_GET','_POST','_COOKIE') as $_request) { foreach($$_request as $_k => $_v) { if($_k == 'nvarname') ${$_k} = $_v; else ${$_k} = _RunMagicQuotes($_v); } }
替换为
foreach(Array('_GET','_POST','_COOKIE') as $_request) { foreach($$_request as $_k => $_v) { if( strlen($_k)>0 && eregi('^(cfg_|GLOBALS)',$_k) ){ exit('Request var not allow!'); } ${$_k} = _RunMagicQuotes($_v); } }
10、/include/payment/alipay.php,dedecms支付模块注入漏洞。
阿里云官网有补丁。
<
11、后台 /admin/media_add.php,dedecms后台文件任意上传漏洞。
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!",'java script:;'); exit(); } $fullfilename = $cfg_basedir.$filename;