dedecms /plus/feedback_ajax.php、/templets/feedback_main.htm、/templets/feedback_edit.htm XSS && SQL Injection Vul

Andrew.Hann發表於2015-05-16

catalog

1. 漏洞描述
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析
5. 防禦方法
6. 攻防思考

 

1. 漏洞描述

通過該漏洞可以注入惡意程式碼到評論標題裡,網站管理員在後臺管理使用者評論時觸發惡意程式碼,直接危及到網站伺服器安全

Relevant Link:

http://skyhome.cn/dedecms/367.html
http://www.soushaa.com/dedecms/dede_11533.html

 
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析

/plus/feedback_ajax.php

//儲存評論內容
    if(!empty($fid))
    {
        $row = $dsql->GetOne("Select username,msg from `#@__feedback` where id ='$fid' ");
        $qmsg = '{quote}{title}'.$row['username'].' 的原帖:{/title}{content}'.$row['msg'].'{/content}{/quote}';
        $msg = addslashes($qmsg).$msg;
    }
    $ischeck = ($cfg_feedbackcheck=='Y' ? 0 : 1);
    //未對$title進行有效的XSS過濾
    $arctitle = addslashes($title);
    $inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`)
                   VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ";

/templets/feedback_main.htm

//未進行有效的輸入XSS過濾
<u>{dede:field.arctitle/}</u>

/templets/feedback_edit

//未進行有效的輸入XSS過濾
<?php echo $row['arctitle']; ?>


5. 防禦方法

/plus/feedback_ajax.php

//儲存評論內容
if(!empty($fid))
{
    $row = $dsql->GetOne("Select username,msg from `#@__feedback` where id ='$fid' ");
    $qmsg = '{quote}{title}'.$row['username'].' 的原帖:{/title}{content}'.$row['msg'].'{/content}{/quote}';
    $msg = addslashes($qmsg).$msg;
}
$ischeck = ($cfg_feedbackcheck=='Y' ? 0 : 1);
//未對$title進行有效的XSS過濾
//$arctitle = addslashes($title);
/* 增加XSS防禦邏輯 */
$arctitle = addslashes(HtmlReplace($title));
$typeid = intval($typeid);
$feedbacktype = preg_replace("#[^0-9a-z]#i", "", $feedbacktype);
/* */

/templets/feedback_main.htm

<u>{dede:field.arctitle function=HtmlReplace(@me)/}</u>

/templets/feedback_edit

<?php echo HtmlReplace($row['arctitle']); ?>

Relevant Link:

http://www.111cn.net/wy/Dedecms/55965.htm


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

相關文章