From 100e734225e6118a5c6b2b39835017e99ea69a55 Mon Sep 17 00:00:00 2001 From: qfdong-github Date: Wed, 19 Aug 2020 17:10:10 +0800 Subject: [PATCH 1/8] Update co_export.php MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 修改220行 为:$mainSql = str_replace('@title@', cn_substr($title, $cfg_title_maxlen), $mainSql); --- src/dede/co_export.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/dede/co_export.php b/src/dede/co_export.php index bffcdf07..9233f96c 100755 --- a/src/dede/co_export.php +++ b/src/dede/co_export.php @@ -4,7 +4,7 @@ * * @version $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $ * @package DedeCMS.Administrator - * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. + * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ @@ -217,7 +217,8 @@ else $mainSql = str_replace('@sortrank@', $sortrank, $mainSql); $mainSql = str_replace('@pubdate@', $pubdate, $mainSql); $mainSql = str_replace('@senddate@', $senddate, $mainSql); - $mainSql = str_replace('@title@', cn_substr($title, 60), $mainSql); + $mainSql = str_replace('@title@', cn_substr($title, $cfg_title_maxlen), $mainSql); + //$mainSql = str_replace('@title@', cn_substr($title, 60), $mainSql); 原来的语句,采集的文章导出到栏目后标题不全 $addSql = str_replace('@sortrank@', $sortrank, $addSql); $addSql = str_replace('@senddate@', $senddate, $addSql); @@ -303,4 +304,4 @@ else ShowMsg("完成 {$rs}% 导入,继续执行操作...",$gourl,'',500); exit(); } -} \ No newline at end of file +} From ec724f80e570ed45ca4482b48118509f9bccae4b Mon Sep 17 00:00:00 2001 From: qfdong-github Date: Wed, 19 Aug 2020 17:14:02 +0800 Subject: [PATCH 2/8] Update co_export.php MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 修改220行 为:$mainSql = str_replace('@title@', cn_substr($title, $cfg_title_maxlen), $mainSql); --- src/dede/co_export.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dede/co_export.php b/src/dede/co_export.php index 9233f96c..5f2cc6f6 100755 --- a/src/dede/co_export.php +++ b/src/dede/co_export.php @@ -4,7 +4,7 @@ * * @version $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $ * @package DedeCMS.Administrator - * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. + * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ From 9818603e813cd505f8815fc388d9cee9fbfb259f Mon Sep 17 00:00:00 2001 From: qfdong-github Date: Wed, 19 Aug 2020 17:23:51 +0800 Subject: [PATCH 3/8] Add files via upload MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 覆盖2文件 --- src/dede/co_export.php | 4 ++-- src/dede/media_add.php | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/dede/co_export.php b/src/dede/co_export.php index 5f2cc6f6..8ae2149b 100755 --- a/src/dede/co_export.php +++ b/src/dede/co_export.php @@ -4,7 +4,7 @@ * * @version $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $ * @package DedeCMS.Administrator - * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. + * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ @@ -304,4 +304,4 @@ else ShowMsg("完成 {$rs}% 导入,继续执行操作...",$gourl,'',500); exit(); } -} +} \ No newline at end of file diff --git a/src/dede/media_add.php b/src/dede/media_add.php index abf0b01e..515942ca 100755 --- a/src/dede/media_add.php +++ b/src/dede/media_add.php @@ -4,7 +4,7 @@ * * @version $Id: media_add.php 2 15:25 2011-6-2 tianya $ * @package DedeCMS.Administrator - * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. + * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ @@ -67,6 +67,11 @@ if($dopost=="upload") MkdirAll($cfg_basedir.$savePath,777); CloseFtp(); } + /* + dedecms后台文件任意上传漏洞 + 漏洞描述:dedecms早期版本后台存在大量的富文本编辑器,该控件提供了一些文件上传接口,同时dedecms对上传文件的后缀类型未进行严格的限制,这导致了黑客可以上传WEBSHELL,获取网站后台权限。 + */ + if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!"); exit(); } $fullfilename = $cfg_basedir.$filename; if($mediatype==1) { From bce548c4ceef76e0c9b15687540e50ceeb10d16f Mon Sep 17 00:00:00 2001 From: qfdong-github Date: Thu, 20 Aug 2020 08:23:34 +0800 Subject: [PATCH 4/8] Add files via upload MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 图片格式校验 --- src/include/uploadsafe.inc.php | 67 ++++++---------------------------- 1 file changed, 12 insertions(+), 55 deletions(-) diff --git a/src/include/uploadsafe.inc.php b/src/include/uploadsafe.inc.php index 2338a012..ccc561ed 100755 --- a/src/include/uploadsafe.inc.php +++ b/src/include/uploadsafe.inc.php @@ -1,13 +1,4 @@ $_value) ${$_key.'_name'} = $_FILES[$_key]['name']; ${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); ${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']); - - if (is_array(${$_key.'_name'})) { - if (count(${$_key.'_name'}) > 0) { - foreach (${$_key.'_name'} as $key => $value) { - if (!empty($value) && (preg_match("#\.(".$cfg_not_allowall.")$#i", $value) || !preg_match("#\.#", $value))) { - if(!defined('DEDEADMIN')) - { - exit('Not Admin Upload filetype not allow !'); - } - } - } - } - } else { - if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) + if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) + { + if(!defined('DEDEADMIN')) { - if(!defined('DEDEADMIN')) - { - exit('Not Admin Upload filetype not allow !'); - } + exit('Not Admin Upload filetype not allow !'); } } - - if(empty(${$_key.'_size'})) { - ${$_key.'_size'} = @filesize($$_key); + ${$_key.'_size'} = @filesize($$_key); } + $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } } $imtypes = array ( @@ -75,30 +49,13 @@ foreach($_FILES as $_key=>$_value) "image/xpng", "image/wbmp", "image/bmp" ); - if (is_array(${$_key.'_type'})) { - if (count(${$_key.'_type'}) > 0) { - foreach (${$_key.'_type'} as $key => $value) { - if(in_array(strtolower(trim($value)), $imtypes)) - { - $image_dd = @getimagesize($$_key); - if (!is_array($image_dd)) - { - exit('Upload filetype not allow !'); - } - } - } - } - } else { - if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) + if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) + { + $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } + if (!is_array($image_dd)) { - $image_dd = @getimagesize($$_key); - if (!is_array($image_dd)) - { - exit('Upload filetype not allow !'); - } + exit('Upload filetype not allow !'); } } - - } ?> \ No newline at end of file From f2025bb4595f05b6c3022c7f5b493dd4aff43264 Mon Sep 17 00:00:00 2001 From: qfdong-github Date: Thu, 20 Aug 2020 08:25:56 +0800 Subject: [PATCH 5/8] =?UTF-8?q?member=E6=96=87=E4=BB=B6=E5=A4=B9bug?= =?UTF-8?q?=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit member文件夹bug修复 --- src/member/album_add.php | 5 +++-- src/member/article_add.php | 4 ++-- src/member/soft_add.php | 6 ++---- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/src/member/album_add.php b/src/member/album_add.php index 34526460..5ca3e71e 100755 --- a/src/member/album_add.php +++ b/src/member/album_add.php @@ -4,7 +4,7 @@ * * @version $Id: album_add.php 1 13:52 2010年7月9日Z tianya $ * @package DedeCMS.Member - * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. + * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ @@ -217,7 +217,8 @@ else if($dopost=='save') ShowMsg("无法获得主键,因此无法进行后续操作!","-1"); exit(); } - $description = HtmlReplace($description, -1); + $description = HtmlReplace($description, -1);//2011.06.30 增加html过滤 (by:织梦的鱼) + $mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生。 //保存到主表 $inQuery = "INSERT INTO `#@__archives`(id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle, color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype) diff --git a/src/member/article_add.php b/src/member/article_add.php index 72f23362..5229a6fe 100755 --- a/src/member/article_add.php +++ b/src/member/article_add.php @@ -4,7 +4,7 @@ * * @version $Id: article_add.php 1 8:38 2010年7月9日Z tianya $ * @package DedeCMS.Member - * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. + * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ @@ -80,7 +80,7 @@ else if($dopost=='save') } } - if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode)) + if (empty($dede_fieldshash) || ( $dede_fieldshash != md5($dede_addonfields . $cfg_cookie_encode) && $dede_fieldshash != md5($dede_addonfields . 'anythingelse' . $cfg_cookie_encode)) ) { showMsg('数据校验不对,程序返回', '-1'); exit(); diff --git a/src/member/soft_add.php b/src/member/soft_add.php index 8926aa8d..924974ce 100755 --- a/src/member/soft_add.php +++ b/src/member/soft_add.php @@ -148,11 +148,10 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' //软件链接列表 $softurl1 = stripslashes($softurl1); $softurl1 = str_replace(array("{dede:","{/dede:","}"), "#", $softurl1); - $servermsg1 = str_replace(array("{dede:","{/dede:","}"), "#", $servermsg1); $urls = ''; if($softurl1!='') { - $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; + if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; } } for($i=2; $i<=12; $i++) { @@ -161,7 +160,6 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' $servermsg = str_replace("'","",stripslashes(${'servermsg'.$i})); $softurl = stripslashes(${'softurl'.$i}); $softurl = str_replace(array("{dede:","{/dede:","}"), "#", $softurl); - $servermsg = str_replace(array("{dede:","{/dede:","}"), "#", $servermsg); if($servermsg=='') { $servermsg = '下载地址'.$i; @@ -198,7 +196,7 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' $dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'"); echo $inQuery; exit(); - ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCMS官方。".str_replace('"','',$gerr),"javascript:;"); + ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCms官方。".str_replace('"','',$gerr),"javascript:;"); exit(); } From 0cfdafce6a8b368f8210416fe1fbd4e0ffee8d25 Mon Sep 17 00:00:00 2001 From: qfdong-github Date: Thu, 20 Aug 2020 08:28:51 +0800 Subject: [PATCH 6/8] Add files via upload MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit member inc 文件夹 bug 修复 --- src/member/inc/archives_check_edit.php | 4 ++-- src/member/inc/inc_archives_functions.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/member/inc/archives_check_edit.php b/src/member/inc/archives_check_edit.php index b5b83ecb..95ae9e6d 100755 --- a/src/member/inc/archives_check_edit.php +++ b/src/member/inc/archives_check_edit.php @@ -4,7 +4,7 @@ * * @version $Id: archives_check_edit.php 1 13:52 2010年7月9日Z tianya $ * @package DedeCMS.Member - * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. + * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ @@ -89,5 +89,5 @@ if($litpic != '') } else { - $litpic =$oldlitpic; + $litpic =$oldlitpic; if (strpos( $litpic, '..') !== false || strpos( $litpic, $cfg_user_dir."/{$userid}/" ) === false) exit('not allowed path!'); } \ No newline at end of file diff --git a/src/member/inc/inc_archives_functions.php b/src/member/inc/inc_archives_functions.php index 3ad4207a..70175e74 100755 --- a/src/member/inc/inc_archives_functions.php +++ b/src/member/inc/inc_archives_functions.php @@ -4,7 +4,7 @@ * * @version $Id: inc_archives_functions.php 1 13:52 2010年7月9日Z tianya $ * @package DedeCMS.Member - * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. + * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ @@ -236,7 +236,7 @@ function PrintAutoFieldsAdd(&$fieldset, $loadtype='all', $isprint=TRUE) } } if ($isprint) echo "\r\n"; - echo ""; + echo ""; // 增加一个返回 return $addonfieldsname; } From 24b4c9468eb3898f30f207d867c90d3476a78d58 Mon Sep 17 00:00:00 2001 From: qfdong-github Date: Thu, 20 Aug 2020 08:30:03 +0800 Subject: [PATCH 7/8] =?UTF-8?q?=E4=BF=AE=E5=A4=8Dbug?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 修复bug --- src/plus/guestbook/edit.inc.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/plus/guestbook/edit.inc.php b/src/plus/guestbook/edit.inc.php index 0e957d7a..1be5341e 100755 --- a/src/plus/guestbook/edit.inc.php +++ b/src/plus/guestbook/edit.inc.php @@ -2,7 +2,7 @@ /** * @version $Id: edit.inc.php 1 10:06 2010-11-10 tianya $ * @package DedeCMS.Site - * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. + * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ @@ -52,6 +52,10 @@ else if($job=='editok') } } $msg = HtmlReplace($msg, -1); + /* + 漏洞描述:dedecms留言板注入漏洞。 + */ + $msg = addslashes($msg); $dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' "); ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS); exit(); From 332784097a420febedb0d34e8e650857d7296f4d Mon Sep 17 00:00:00 2001 From: qfdong-github Date: Thu, 20 Aug 2020 08:33:04 +0800 Subject: [PATCH 8/8] Update edit.inc.php --- src/plus/guestbook/edit.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/plus/guestbook/edit.inc.php b/src/plus/guestbook/edit.inc.php index 1be5341e..b612c3b1 100755 --- a/src/plus/guestbook/edit.inc.php +++ b/src/plus/guestbook/edit.inc.php @@ -2,7 +2,7 @@ /** * @version $Id: edit.inc.php 1 10:06 2010-11-10 tianya $ * @package DedeCMS.Site - * @copyright Copyright (c) 2007 - 2010, DesDev, Inc. + * @copyright Copyright (c) 2007 - 2020, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ @@ -70,4 +70,4 @@ else { $row = $dsql->GetOne("SELECT id,title FROM `#@__guestbook` WHERE id='$id'"); require_once(DEDETEMPLATE.'/plus/guestbook-user.htm'); -} \ No newline at end of file +}