llgoer
GitHub
5 years ago
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 37 additions and 71 deletions
Split View
Diff Options
-
+3 -2src/dede/co_export.php
-
+6 -1src/dede/media_add.php
-
+12 -55src/include/uploadsafe.inc.php
-
+3 -2src/member/album_add.php
-
+2 -2src/member/article_add.php
-
+2 -2src/member/inc/archives_check_edit.php
-
+2 -2src/member/inc/inc_archives_functions.php
-
+2 -4src/member/soft_add.php
-
+5 -1src/plus/guestbook/edit.inc.php
+ 3
- 2
src/dede/co_export.php
View File
| @@ -4,7 +4,7 @@ | |||
| * | |||
| * @version $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $ | |||
| * @package DedeCMS.Administrator | |||
| * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
| * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
| * @license http://help.dedecms.com/usersguide/license.html | |||
| * @link http://www.dedecms.com | |||
| */ | |||
| @@ -217,7 +217,8 @@ else | |||
| $mainSql = str_replace('@sortrank@', $sortrank, $mainSql); | |||
| $mainSql = str_replace('@pubdate@', $pubdate, $mainSql); | |||
| $mainSql = str_replace('@senddate@', $senddate, $mainSql); | |||
| $mainSql = str_replace('@title@', cn_substr($title, 60), $mainSql); | |||
| $mainSql = str_replace('@title@', cn_substr($title, $cfg_title_maxlen), $mainSql); | |||
| //$mainSql = str_replace('@title@', cn_substr($title, 60), $mainSql); 原来的语句,采集的文章导出到栏目后标题不全 | |||
| $addSql = str_replace('@sortrank@', $sortrank, $addSql); | |||
| $addSql = str_replace('@senddate@', $senddate, $addSql); | |||
+ 6
- 1
src/dede/media_add.php
View File
| @@ -4,7 +4,7 @@ | |||
| * | |||
| * @version $Id: media_add.php 2 15:25 2011-6-2 tianya $ | |||
| * @package DedeCMS.Administrator | |||
| * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
| * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
| * @license http://help.dedecms.com/usersguide/license.html | |||
| * @link http://www.dedecms.com | |||
| */ | |||
| @@ -67,6 +67,11 @@ if($dopost=="upload") | |||
| MkdirAll($cfg_basedir.$savePath,777); | |||
| CloseFtp(); | |||
| } | |||
| /* | |||
| dedecms后台文件任意上传漏洞 | |||
| 漏洞描述:dedecms早期版本后台存在大量的富文本编辑器,该控件提供了一些文件上传接口,同时dedecms对上传文件的后缀类型未进行严格的限制,这导致了黑客可以上传WEBSHELL,获取网站后台权限。 | |||
| */ | |||
| if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!"); exit(); } | |||
| $fullfilename = $cfg_basedir.$filename; | |||
| if($mediatype==1) | |||
| { | |||
+ 12
- 55
src/include/uploadsafe.inc.php
View File
| @@ -1,13 +1,4 @@ | |||
| <?php | |||
| /** | |||
| * 文件上传安全校验方法 | |||
| * | |||
| * @version $Id: uploadsafe.inc.php 1 15:59 2020年8月19日Z tianya $ | |||
| * @package DedeCMS.Libraries | |||
| * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
| * @license http://help.dedecms.com/usersguide/license.html | |||
| * @link http://www.dedecms.com | |||
| */ | |||
| if(!defined('DEDEINC')) exit('Request Error!'); | |||
| if(isset($_FILES['GLOBALS'])) exit('Request not allow!'); | |||
| @@ -16,9 +7,7 @@ if(isset($_FILES['GLOBALS'])) exit('Request not allow!'); | |||
| //这里强制限定的某些文件类型禁止上传 | |||
| $cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml"; | |||
| $keyarr = array('name', 'type', 'tmp_name', 'size'); | |||
| if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload']) || | |||
| $GLOBALS['cfg_html_editor']=='ckeditor4' && isset($_FILES['upload']) | |||
| ) | |||
| if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload'])) | |||
| { | |||
| $_FILES['imgfile'] = $_FILES['upload']; | |||
| $CKUpload = TRUE; | |||
| @@ -41,33 +30,18 @@ foreach($_FILES as $_key=>$_value) | |||
| ${$_key.'_name'} = $_FILES[$_key]['name']; | |||
| ${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); | |||
| ${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']); | |||
| if (is_array(${$_key.'_name'})) { | |||
| if (count(${$_key.'_name'}) > 0) { | |||
| foreach (${$_key.'_name'} as $key => $value) { | |||
| if (!empty($value) && (preg_match("#\.(".$cfg_not_allowall.")$#i", $value) || !preg_match("#\.#", $value))) { | |||
| if(!defined('DEDEADMIN')) | |||
| { | |||
| exit('Not Admin Upload filetype not allow !'); | |||
| } | |||
| } | |||
| } | |||
| } | |||
| } else { | |||
| if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) | |||
| if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) | |||
| { | |||
| if(!defined('DEDEADMIN')) | |||
| { | |||
| if(!defined('DEDEADMIN')) | |||
| { | |||
| exit('Not Admin Upload filetype not allow !'); | |||
| } | |||
| exit('Not Admin Upload filetype not allow !'); | |||
| } | |||
| } | |||
| if(empty(${$_key.'_size'})) | |||
| { | |||
| ${$_key.'_size'} = @filesize($$_key); | |||
| ${$_key.'_size'} = @filesize($$_key); | |||
| } | |||
| $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } } | |||
| $imtypes = array | |||
| ( | |||
| @@ -75,30 +49,13 @@ foreach($_FILES as $_key=>$_value) | |||
| "image/xpng", "image/wbmp", "image/bmp" | |||
| ); | |||
| if (is_array(${$_key.'_type'})) { | |||
| if (count(${$_key.'_type'}) > 0) { | |||
| foreach (${$_key.'_type'} as $key => $value) { | |||
| if(in_array(strtolower(trim($value)), $imtypes)) | |||
| { | |||
| $image_dd = @getimagesize($$_key); | |||
| if (!is_array($image_dd)) | |||
| { | |||
| exit('Upload filetype not allow !'); | |||
| } | |||
| } | |||
| } | |||
| } | |||
| } else { | |||
| if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) | |||
| if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) | |||
| { | |||
| $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } | |||
| if (!is_array($image_dd)) | |||
| { | |||
| $image_dd = @getimagesize($$_key); | |||
| if (!is_array($image_dd)) | |||
| { | |||
| exit('Upload filetype not allow !'); | |||
| } | |||
| exit('Upload filetype not allow !'); | |||
| } | |||
| } | |||
| } | |||
| ?> | |||
+ 3
- 2
src/member/album_add.php
View File
| @@ -4,7 +4,7 @@ | |||
| * | |||
| * @version $Id: album_add.php 1 13:52 2010年7月9日Z tianya $ | |||
| * @package DedeCMS.Member | |||
| * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
| * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
| * @license http://help.dedecms.com/usersguide/license.html | |||
| * @link http://www.dedecms.com | |||
| */ | |||
| @@ -217,7 +217,8 @@ else if($dopost=='save') | |||
| ShowMsg("无法获得主键,因此无法进行后续操作!","-1"); | |||
| exit(); | |||
| } | |||
| $description = HtmlReplace($description, -1); | |||
| $description = HtmlReplace($description, -1);//2011.06.30 增加html过滤 (by:织梦的鱼) | |||
| $mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生。 | |||
| //保存到主表 | |||
| $inQuery = "INSERT INTO `#@__archives`(id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle, | |||
| color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype) | |||
+ 2
- 2
src/member/article_add.php
View File
| @@ -4,7 +4,7 @@ | |||
| * | |||
| * @version $Id: article_add.php 1 8:38 2010年7月9日Z tianya $ | |||
| * @package DedeCMS.Member | |||
| * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
| * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
| * @license http://help.dedecms.com/usersguide/license.html | |||
| * @link http://www.dedecms.com | |||
| */ | |||
| @@ -80,7 +80,7 @@ else if($dopost=='save') | |||
| } | |||
| } | |||
| if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode)) | |||
| if (empty($dede_fieldshash) || ( $dede_fieldshash != md5($dede_addonfields . $cfg_cookie_encode) && $dede_fieldshash != md5($dede_addonfields . 'anythingelse' . $cfg_cookie_encode)) ) | |||
| { | |||
| showMsg('数据校验不对,程序返回', '-1'); | |||
| exit(); | |||
+ 2
- 2
src/member/inc/archives_check_edit.php
View File
| @@ -4,7 +4,7 @@ | |||
| * | |||
| * @version $Id: archives_check_edit.php 1 13:52 2010年7月9日Z tianya $ | |||
| * @package DedeCMS.Member | |||
| * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
| * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
| * @license http://help.dedecms.com/usersguide/license.html | |||
| * @link http://www.dedecms.com | |||
| */ | |||
| @@ -89,5 +89,5 @@ if($litpic != '') | |||
| } | |||
| else | |||
| { | |||
| $litpic =$oldlitpic; | |||
| $litpic =$oldlitpic; if (strpos( $litpic, '..') !== false || strpos( $litpic, $cfg_user_dir."/{$userid}/" ) === false) exit('not allowed path!'); | |||
| } | |||
+ 2
- 2
src/member/inc/inc_archives_functions.php
View File
| @@ -4,7 +4,7 @@ | |||
| * | |||
| * @version $Id: inc_archives_functions.php 1 13:52 2010年7月9日Z tianya $ | |||
| * @package DedeCMS.Member | |||
| * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
| * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
| * @license http://help.dedecms.com/usersguide/license.html | |||
| * @link http://www.dedecms.com | |||
| */ | |||
| @@ -236,7 +236,7 @@ function PrintAutoFieldsAdd(&$fieldset, $loadtype='all', $isprint=TRUE) | |||
| } | |||
| } | |||
| if ($isprint) echo "<input type='hidden' name='dede_addonfields' value=\"".$dede_addonfields."\">\r\n"; | |||
| echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields.$cfg_cookie_encode)."\" />"; | |||
| echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields . 'anythingelse' .$cfg_cookie_encode) ."\" />"; | |||
| // 增加一个返回 | |||
| return $addonfieldsname; | |||
| } | |||
+ 2
- 4
src/member/soft_add.php
View File
| @@ -148,11 +148,10 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' | |||
| //软件链接列表 | |||
| $softurl1 = stripslashes($softurl1); | |||
| $softurl1 = str_replace(array("{dede:","{/dede:","}"), "#", $softurl1); | |||
| $servermsg1 = str_replace(array("{dede:","{/dede:","}"), "#", $servermsg1); | |||
| $urls = ''; | |||
| if($softurl1!='') | |||
| { | |||
| $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; | |||
| if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; } | |||
| } | |||
| for($i=2; $i<=12; $i++) | |||
| { | |||
| @@ -161,7 +160,6 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' | |||
| $servermsg = str_replace("'","",stripslashes(${'servermsg'.$i})); | |||
| $softurl = stripslashes(${'softurl'.$i}); | |||
| $softurl = str_replace(array("{dede:","{/dede:","}"), "#", $softurl); | |||
| $servermsg = str_replace(array("{dede:","{/dede:","}"), "#", $servermsg); | |||
| if($servermsg=='') | |||
| { | |||
| $servermsg = '下载地址'.$i; | |||
| @@ -198,7 +196,7 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' | |||
| $dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'"); | |||
| echo $inQuery; | |||
| exit(); | |||
| ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCMS官方。".str_replace('"','',$gerr),"javascript:;"); | |||
| ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCms官方。".str_replace('"','',$gerr),"javascript:;"); | |||
| exit(); | |||
| } | |||
+ 5
- 1
src/plus/guestbook/edit.inc.php
View File
| @@ -52,6 +52,10 @@ else if($job=='editok') | |||
| } | |||
| } | |||
| $msg = HtmlReplace($msg, -1); | |||
| /* | |||
| 漏洞描述:dedecms留言板注入漏洞。 | |||
| */ | |||
| $msg = addslashes($msg); | |||
| $dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' "); | |||
| ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS); | |||
| exit(); | |||
| @@ -66,4 +70,4 @@ else | |||
| { | |||
| $row = $dsql->GetOne("SELECT id,title FROM `#@__guestbook` WHERE id='$id'"); | |||
| require_once(DEDETEMPLATE.'/plus/guestbook-user.htm'); | |||
| } | |||
| } | |||