Home > Backend Development > PHP Tutorial > Solution to dedecms SESSION variable coverage leading to SQL injection common.inc.php

Solution to dedecms SESSION variable coverage leading to SQL injection common.inc.php

不言
Release: 2023-03-23 07:30:01
Original
1741 people have browsed it


dedecms SESSION variable coverage leads to SQL injection solution to common.inc.php:

Patch file: /include/common.inc. php

Vulnerability description: In /plus/advancedsearch.php of dedecms, the value is obtained directly from SESSION[SESSION[sqlhash] as $query and brought into the SQL query. The prerequisite for the exploitation of this vulnerability is session.auto_start = 1 starts an automatic SESSION session. The Cloud Shield team has implemented a general unified defense in the variable registration entrance of dedemcs, prohibiting the incoming SESSION variables

dedecms SESSION variable overwriting causes Solution to SQL injection common.inc.php

1. Search for the following code (line 68):

if( strlen($svar)>0 && preg_match('#^(cfg_|GLOBALS|_GET|_POST|_COOKIE)#',$svar) )
Copy after login

2. Replace 68 lines of code. The replacement code is as follows:

if( strlen($svar)>0 && preg_match('#^(cfg_|GLOBALS|_GET|_POST|_COOKIE|_SESSION)#',$svar) )
Copy after login

Please back up the file before modifying it and copy the new /include/common.inc.php file This problem can be solved by uploading and replacing the one on the Alibaba Cloud server.


The above is the detailed content of Solution to dedecms SESSION variable coverage leading to SQL injection common.inc.php. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template