@@ -4,7 +4,7 @@ | |||
* | |||
* @version $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $ | |||
* @package DedeCMS.Administrator | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
@@ -217,7 +217,8 @@ else | |||
$mainSql = str_replace('@sortrank@', $sortrank, $mainSql); | |||
$mainSql = str_replace('@pubdate@', $pubdate, $mainSql); | |||
$mainSql = str_replace('@senddate@', $senddate, $mainSql); | |||
$mainSql = str_replace('@title@', cn_substr($title, 60), $mainSql); | |||
$mainSql = str_replace('@title@', cn_substr($title, $cfg_title_maxlen), $mainSql); | |||
//$mainSql = str_replace('@title@', cn_substr($title, 60), $mainSql); 原来的语句,采集的文章导出到栏目后标题不全 | |||
$addSql = str_replace('@sortrank@', $sortrank, $addSql); | |||
$addSql = str_replace('@senddate@', $senddate, $addSql); | |||
@@ -4,7 +4,7 @@ | |||
* | |||
* @version $Id: media_add.php 2 15:25 2011-6-2 tianya $ | |||
* @package DedeCMS.Administrator | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
@@ -67,6 +67,11 @@ if($dopost=="upload") | |||
MkdirAll($cfg_basedir.$savePath,777); | |||
CloseFtp(); | |||
} | |||
/* | |||
dedecms后台文件任意上传漏洞 | |||
漏洞描述:dedecms早期版本后台存在大量的富文本编辑器,该控件提供了一些文件上传接口,同时dedecms对上传文件的后缀类型未进行严格的限制,这导致了黑客可以上传WEBSHELL,获取网站后台权限。 | |||
*/ | |||
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!"); exit(); } | |||
$fullfilename = $cfg_basedir.$filename; | |||
if($mediatype==1) | |||
{ | |||
@@ -1,13 +1,4 @@ | |||
<?php | |||
/** | |||
* 文件上传安全校验方法 | |||
* | |||
* @version $Id: uploadsafe.inc.php 1 15:59 2020年8月19日Z tianya $ | |||
* @package DedeCMS.Libraries | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
if(!defined('DEDEINC')) exit('Request Error!'); | |||
if(isset($_FILES['GLOBALS'])) exit('Request not allow!'); | |||
@@ -16,9 +7,7 @@ if(isset($_FILES['GLOBALS'])) exit('Request not allow!'); | |||
//这里强制限定的某些文件类型禁止上传 | |||
$cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml"; | |||
$keyarr = array('name', 'type', 'tmp_name', 'size'); | |||
if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload']) || | |||
$GLOBALS['cfg_html_editor']=='ckeditor4' && isset($_FILES['upload']) | |||
) | |||
if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload'])) | |||
{ | |||
$_FILES['imgfile'] = $_FILES['upload']; | |||
$CKUpload = TRUE; | |||
@@ -41,33 +30,18 @@ foreach($_FILES as $_key=>$_value) | |||
${$_key.'_name'} = $_FILES[$_key]['name']; | |||
${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); | |||
${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']); | |||
if (is_array(${$_key.'_name'})) { | |||
if (count(${$_key.'_name'}) > 0) { | |||
foreach (${$_key.'_name'} as $key => $value) { | |||
if (!empty($value) && (preg_match("#\.(".$cfg_not_allowall.")$#i", $value) || !preg_match("#\.#", $value))) { | |||
if(!defined('DEDEADMIN')) | |||
{ | |||
exit('Not Admin Upload filetype not allow !'); | |||
} | |||
} | |||
} | |||
} | |||
} else { | |||
if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) | |||
if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) | |||
{ | |||
if(!defined('DEDEADMIN')) | |||
{ | |||
if(!defined('DEDEADMIN')) | |||
{ | |||
exit('Not Admin Upload filetype not allow !'); | |||
} | |||
exit('Not Admin Upload filetype not allow !'); | |||
} | |||
} | |||
if(empty(${$_key.'_size'})) | |||
{ | |||
${$_key.'_size'} = @filesize($$_key); | |||
${$_key.'_size'} = @filesize($$_key); | |||
} | |||
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } } | |||
$imtypes = array | |||
( | |||
@@ -75,30 +49,13 @@ foreach($_FILES as $_key=>$_value) | |||
"image/xpng", "image/wbmp", "image/bmp" | |||
); | |||
if (is_array(${$_key.'_type'})) { | |||
if (count(${$_key.'_type'}) > 0) { | |||
foreach (${$_key.'_type'} as $key => $value) { | |||
if(in_array(strtolower(trim($value)), $imtypes)) | |||
{ | |||
$image_dd = @getimagesize($$_key); | |||
if (!is_array($image_dd)) | |||
{ | |||
exit('Upload filetype not allow !'); | |||
} | |||
} | |||
} | |||
} | |||
} else { | |||
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) | |||
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) | |||
{ | |||
$image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } | |||
if (!is_array($image_dd)) | |||
{ | |||
$image_dd = @getimagesize($$_key); | |||
if (!is_array($image_dd)) | |||
{ | |||
exit('Upload filetype not allow !'); | |||
} | |||
exit('Upload filetype not allow !'); | |||
} | |||
} | |||
} | |||
?> |
@@ -4,7 +4,7 @@ | |||
* | |||
* @version $Id: album_add.php 1 13:52 2010年7月9日Z tianya $ | |||
* @package DedeCMS.Member | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
@@ -217,7 +217,8 @@ else if($dopost=='save') | |||
ShowMsg("无法获得主键,因此无法进行后续操作!","-1"); | |||
exit(); | |||
} | |||
$description = HtmlReplace($description, -1); | |||
$description = HtmlReplace($description, -1);//2011.06.30 增加html过滤 (by:织梦的鱼) | |||
$mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生。 | |||
//保存到主表 | |||
$inQuery = "INSERT INTO `#@__archives`(id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle, | |||
color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype) | |||
@@ -4,7 +4,7 @@ | |||
* | |||
* @version $Id: article_add.php 1 8:38 2010年7月9日Z tianya $ | |||
* @package DedeCMS.Member | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
@@ -80,7 +80,7 @@ else if($dopost=='save') | |||
} | |||
} | |||
if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode)) | |||
if (empty($dede_fieldshash) || ( $dede_fieldshash != md5($dede_addonfields . $cfg_cookie_encode) && $dede_fieldshash != md5($dede_addonfields . 'anythingelse' . $cfg_cookie_encode)) ) | |||
{ | |||
showMsg('数据校验不对,程序返回', '-1'); | |||
exit(); | |||
@@ -4,7 +4,7 @@ | |||
* | |||
* @version $Id: archives_check_edit.php 1 13:52 2010年7月9日Z tianya $ | |||
* @package DedeCMS.Member | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
@@ -89,5 +89,5 @@ if($litpic != '') | |||
} | |||
else | |||
{ | |||
$litpic =$oldlitpic; | |||
$litpic =$oldlitpic; if (strpos( $litpic, '..') !== false || strpos( $litpic, $cfg_user_dir."/{$userid}/" ) === false) exit('not allowed path!'); | |||
} |
@@ -4,7 +4,7 @@ | |||
* | |||
* @version $Id: inc_archives_functions.php 1 13:52 2010年7月9日Z tianya $ | |||
* @package DedeCMS.Member | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
@@ -236,7 +236,7 @@ function PrintAutoFieldsAdd(&$fieldset, $loadtype='all', $isprint=TRUE) | |||
} | |||
} | |||
if ($isprint) echo "<input type='hidden' name='dede_addonfields' value=\"".$dede_addonfields."\">\r\n"; | |||
echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields.$cfg_cookie_encode)."\" />"; | |||
echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields . 'anythingelse' .$cfg_cookie_encode) ."\" />"; | |||
// 增加一个返回 | |||
return $addonfieldsname; | |||
} | |||
@@ -148,11 +148,10 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' | |||
//软件链接列表 | |||
$softurl1 = stripslashes($softurl1); | |||
$softurl1 = str_replace(array("{dede:","{/dede:","}"), "#", $softurl1); | |||
$servermsg1 = str_replace(array("{dede:","{/dede:","}"), "#", $servermsg1); | |||
$urls = ''; | |||
if($softurl1!='') | |||
{ | |||
$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; | |||
if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; } | |||
} | |||
for($i=2; $i<=12; $i++) | |||
{ | |||
@@ -161,7 +160,6 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' | |||
$servermsg = str_replace("'","",stripslashes(${'servermsg'.$i})); | |||
$softurl = stripslashes(${'softurl'.$i}); | |||
$softurl = str_replace(array("{dede:","{/dede:","}"), "#", $softurl); | |||
$servermsg = str_replace(array("{dede:","{/dede:","}"), "#", $servermsg); | |||
if($servermsg=='') | |||
{ | |||
$servermsg = '下载地址'.$i; | |||
@@ -198,7 +196,7 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' | |||
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'"); | |||
echo $inQuery; | |||
exit(); | |||
ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCMS官方。".str_replace('"','',$gerr),"javascript:;"); | |||
ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCms官方。".str_replace('"','',$gerr),"javascript:;"); | |||
exit(); | |||
} | |||
@@ -52,6 +52,10 @@ else if($job=='editok') | |||
} | |||
} | |||
$msg = HtmlReplace($msg, -1); | |||
/* | |||
漏洞描述:dedecms留言板注入漏洞。 | |||
*/ | |||
$msg = addslashes($msg); | |||
$dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' "); | |||
ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS); | |||
exit(); | |||
@@ -66,4 +70,4 @@ else | |||
{ | |||
$row = $dsql->GetOne("SELECT id,title FROM `#@__guestbook` WHERE id='$id'"); | |||
require_once(DEDETEMPLATE.'/plus/guestbook-user.htm'); | |||
} | |||
} |