1. Wide byte injection vulnerability
/phpcms/modules/pay/respond.php Location is about 16 Line
original code
$payment = $this->get_by_code($_GET['code']);
is replaced with
$payment = $this->get_by_code(mysql_real_escape_string($_GET['code']));
2. phpcms injection vulnerability
/phpcms/modules/poster/poster .php position is about 221 lines after
if ($_GET['group']) {
, add
$_GET['group'] = preg_replace('#`#', '', $_GET['group']);
3, phpcms front-end injection leads to arbitrary file reading vulnerability patch
/phpcms/ modules/content/down.php
(1) Replace line 17
parse_str($a_k);
with
$a_k = safe_replace($a_k); parse_str($a_k);
(2) Line 89
parse_str($a_k);
Replace with
$a_k = safe_replace($a_k); parse_str($a_k);
(3) and add
$filename = date('Ymd_his').random(3).'.'.$ext;
# after line 120 of position 3.
$fileurl = str_replace(array('<','>'), '',$fileurl);
4, phpcms injection vulnerability
/phpcms/modules/member/index.php is located at about 615 lines
Original code:
$password = isset($_POST['password']) && trim($_POST['password']) ? trim($_POST['password']) : showmessage(L('password_empty'),HTTP_REFERER);
Replaced with:
$password = isset($_POST['password']) && trim($_POST['password']) ? addslashes(urldecode(trim($_POST['password'] ))) : showmessage(L('password_empty'), HTTP_REFERER);
5, PHPCMS V9.6.2 SQL Injection vulnerability
(1) phpcms/libs/classes/param.class.php is located at about line 109
The original code
$value = isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], 'DECODE') : $default;
is replaced with
$value = isset($_COOKIE[$var])?addslashes(sys_auth($_COOKIE[$var],'DECODE')):$default;
(2)/phpsso_server/phpcms/libs/classes/param.class.php is located at about 108 lines
The original code
return isset($_COOKIE[$var]) ? sys_auth($_COOKIE[$var], 'DECODE') : $default;
is replaced with
return isset($_COOKIE[$var]) ? addslashes(sys_auth($_COOKIE[$var],'DECODE')) : $default;
6. A logical problem somewhere in phpcms caused getshell
/phpcms/libs/classes/attachment.class.php to be located at line 143 of
function download($field, $value,$watermark = '0',$ext = 'gif|jpg|jpeg|bmp|png', $absurl = '', $basehref = ''){
followed by
$extArray=explode('|',$ext); if(!empty($extArray) && is_array($extArray)){ foreach($extArray as $k => $v){ if(!in_array(strtolower($v), array('gif','jpg','jpeg','bmp','png'))); exit('0');//循环判断如果 有一个不符合,直接返回 0 } }
In this way, add a judgment. If the allowed file formats are 'gif', 'jpg', 'jpeg', 'bmp', 'png', continue, otherwise it will jump out. Of course, the formats here can be increased as needed. several.
7. phpcms injection vulnerability
/api/phpsso.php is located at about 128 lines
The original code
$arr['uid'] = intval($arr['uid']); $phpssouid = $arr['uid'];
is replaced by , two-in-one code
$phpssouid = intval($arr['uid']);
8. phpcms authkey generation algorithm problem leads to authkey leakage
Follow the following function to regenerate the key value, and then find caches/configs Just replace the two parameters in /system.php and it will be ok
<?php function random($length, $chars = '0123456789') { $hash = ''; $max = strlen($chars) - 1; for($i = 0; $i < $length; $i++) { $hash .= $chars[mt_rand(0, $max)]; } return $hash; } echo random(20, 'authkey').'<br/>'; echo random(32, 'phpssoauthkey');exit; ?>
PHP Chinese website, a large number of free PHPCMS tutorials, welcome to learn online!
The above is the detailed content of PHPCMS various injection vulnerability patches. For more information, please follow other related articles on the PHP Chinese website!