catalog
1. 漏洞描述 2. 漏洞觸發條件 3. 漏洞影響範圍 4. 漏洞程式碼分析 5. 防禦方法 6. 攻防思考
1. 漏洞描述
通過該漏洞可以注入惡意程式碼到評論標題裡,網站管理員在後臺管理使用者評論時觸發惡意程式碼,直接危及到網站伺服器安全
Relevant Link:
http://skyhome.cn/dedecms/367.html http://www.soushaa.com/dedecms/dede_11533.html
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析
/plus/feedback_ajax.php
//儲存評論內容 if(!empty($fid)) { $row = $dsql->GetOne("Select username,msg from `#@__feedback` where id ='$fid' "); $qmsg = '{quote}{title}'.$row['username'].' 的原帖:{/title}{content}'.$row['msg'].'{/content}{/quote}'; $msg = addslashes($qmsg).$msg; } $ischeck = ($cfg_feedbackcheck=='Y' ? 0 : 1); //未對$title進行有效的XSS過濾 $arctitle = addslashes($title); $inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ";
/templets/feedback_main.htm
//未進行有效的輸入XSS過濾 <u>{dede:field.arctitle/}</u>
/templets/feedback_edit
//未進行有效的輸入XSS過濾 <?php echo $row['arctitle']; ?>
5. 防禦方法
/plus/feedback_ajax.php
//儲存評論內容 if(!empty($fid)) { $row = $dsql->GetOne("Select username,msg from `#@__feedback` where id ='$fid' "); $qmsg = '{quote}{title}'.$row['username'].' 的原帖:{/title}{content}'.$row['msg'].'{/content}{/quote}'; $msg = addslashes($qmsg).$msg; } $ischeck = ($cfg_feedbackcheck=='Y' ? 0 : 1); //未對$title進行有效的XSS過濾 //$arctitle = addslashes($title); /* 增加XSS防禦邏輯 */ $arctitle = addslashes(HtmlReplace($title)); $typeid = intval($typeid); $feedbacktype = preg_replace("#[^0-9a-z]#i", "", $feedbacktype); /* */
/templets/feedback_main.htm
<u>{dede:field.arctitle function=HtmlReplace(@me)/}</u>
/templets/feedback_edit
<?php echo HtmlReplace($row['arctitle']); ?>
Relevant Link:
http://www.111cn.net/wy/Dedecms/55965.htm
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved