用dedecms做了个企业站,阿里云报了很多漏洞。解决方法如下:
1、/member/mtypes.php,注入漏洞。
foreach ($mtypename as $id => $name)
{
$name = HtmlReplace($name);
/*对id进行规范化处理*/
$id = intval($id);
$query = "UPDATE `#@__mtypes` SET mtypename='$name' WHERE mtypeid='$id' AND mid='$cfg_ml->M_ID'";
$dsql->ExecuteNoneQuery($query);
}2、/member/pm.php,注入漏洞。
else if($dopost=='read')
{
$sql = "SELECT * FROM `#@__member_friends` WHERE mid='{$cfg_ml->M_ID}' AND ftype!='-1' ORDER BY addtime DESC LIMIT 20";
$friends = array();
$dsql->SetQuery($sql);
$dsql->Execute();
while ($row = $dsql->GetArray()) {
$friends[] = $row;
}
/*对id规范化处理*/
$id = intval($id);
$row = $dsql->GetOne("SELECT * FROM `#@__member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}')");
if(!is_array($row))
{
ShowMsgEx('对不起,你指定的消息不存在或你没权限查看!',"", 1);
exit();
}
$dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE id='$id' AND folder='inbox' AND toid='{$cfg_ml->M_ID}'");
$dsql->ExecuteNoneQuery("UPDATE `#@__member_pms` SET hasview=1 WHERE folder='outbox' AND toid='{$cfg_ml->M_ID}'");
include_once(dirname(__FILE__).'/templets/pm-read.htm');
exit();
}3 、/member/article_add.php,cookies泄露导致sql漏洞。
/*cookies泄露导致sql漏洞*/
if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode) && $dede_fieldshash !=md5($dede_addonfields.'anythingelse'.$cfg_cookie_encode))
{
ShowMsgEx('数据校验不对', "", 1);
exit();
}4、/member/inc/inc_archives_functions.php,cookies泄露导致sql漏洞
echo "< input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields.$cfg_cookie_encode)."\" />";
替换为:
echo "< input type="\"hidden\"" name="\"dede_fieldshash\"" value="\"".md5($dede_addonfields."wkwkk.com".$cfg_cookie_encode)."\""/>";
批量搜索
$formfields.$cfg_cookie_encode
将
$formfields.$cfg_cookie_encode
替换为
$formfields."dls6.com".$cfg_cookie_encode
5、/plus/guestbook/edit.inc.php,dedecms注入漏洞
$msg = HtmlReplace($msg, -1);
/* 对$msg进行有效过滤 */
$msg = addslashes($msg);
$dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");
ShowMsgEx("成功更改或回复一条留言!", $GUEST_BOOK_POS,1);
exit();6、/member/soft_add.php,dedecms模板sql注入漏洞,154行附近。
if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) {
$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
}替换为
if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) {
$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
}7、/include/dialog/select_soft_post.php,dedecms任意文件上传漏洞,72行附近。
/*文件类型过滤*/
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)$#i', trim($filename)))
{
ShowMsg("你指定的文件名被系统禁止!",'javascript:;');
exit();
}
$fullfilename = $cfg_basedir.$activepath.'/'.$filename;
$fullfileurl = $activepath.'/'.$filename;8、/include/uploadsafe.inc.php,dedecms上传漏洞。
foreach($_FILES as $_key=>$_value)
{
foreach($keyarr as $k)
{
if(!isset($_FILES[$_key][$k]))
{
exit('Request Error!');
}
}
if( preg_match('#^(cfg_|GLOBALS)#', $_key) )
{
exit('Request var not allow for uploadsafe!');
}
$$_key = $_FILES[$_key]['tmp_name'];
${$_key.'_name'} = $_FILES[$_key]['name'];
${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']);
${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']);
if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) )
{
if(!defined('DEDEADMIN'))
{
exit('Not Admin Upload filetype not allow !');
}
}
if(empty(${$_key.'_size'}))
{
${$_key.'_size'} = @filesize($$_key);
}
$imtypes = array
(
"image/pjpeg", "image/jpeg", "image/gif", "image/png",
"image/xpng", "image/wbmp", "image/bmp"
);
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes))
{
$image_dd = @getimagesize($$_key);
if($image_dd ==false){continue;}
if (!is_array($image_dd))
{
exit('Upload filetype not allow !');
}
}
}9、/include/common.inc.php,SESSION变量覆盖导致sql注入。
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v)
{
if($_k == 'nvarname') ${$_k} = $_v;
else ${$_k} = _RunMagicQuotes($_v);
}
}替换为
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
foreach($$_request as $_k => $_v) {
if( strlen($_k)>0 && eregi('^(cfg_|GLOBALS)',$_k) ){
exit('Request var not allow!');
}
${$_k} = _RunMagicQuotes($_v);
}
}10、/include/payment/alipay.php,dedecms支付模块注入漏洞。
阿里云官网有补丁。
<
11、后台 /admin/media_add.php,dedecms后台文件任意上传漏洞。
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename)))
{
ShowMsg("你指定的文件名被系统禁止!",'java script:;');
exit();
}
$fullfilename = $cfg_basedir.$filename;
