文件位置:
/phpcms/libs/classes/attachment.class.php
解决办法(Line 129):
// 修改之前
$phpssouid = $arr['uid'];
改为:
// 修改之后
$phpssouid = intval($arr['uid']);
-
phpcms/libs/classes/attachment.class.php某处逻辑问题导致getshell修复方案
文件位置:
/phpcms/libs/classes/attachment.class.php
解决办法(Line 144):
// 修改之前
function download($field, $value,$watermark = '0',$ext = 'gif|jpg|jpeg|bmp|png', $absurl = '', $basehref = '')
{
global $image_d;
$this->att_db = pc_base::load_model('attachment_model');
$upload_url = pc_base::load_config('system','upload_url');
$this->field = $field;
...
改为:
// 修改之后
function download($field, $value,$watermark = '0',$ext = 'gif|jpg|jpeg|bmp|png', $absurl = '', $basehref = '')
{
// 此处增加类型的判断
if($ext !== 'gif|jpg|jpeg|bmp|png'){
if(!in_array(strtoupper($ext),array('JPG','GIF','BMP','PNG','JPEG'))) exit('附加扩展名必须为gif、jpg、jpeg、bmp、png');
}
global $image_d;
$this->att_db = pc_base::load_model('attachment_model');
$upload_url = pc_base::load_config('system','upload_url');
$this->field = $field;
...
-
phpcms的/phpcms/modules/poster/poster.php 文件中,未对输入参数$_GET['group']进行严格过滤,导致注入漏洞。
文件位置:
/phpcms/modules/poster/poster.php
解决办法(Line 221):
// 修改之前
...
if ($_GET['group']) {
$group = " `".$_GET['group']."`";
$fields = "*, COUNT(".$_GET['group'].") AS num";
$order = " `num` DESC";
}
...
改为:
// 修改之后
...
if ($_GET['group']) {
$_GET['group'] = preg_replace('#`#', '', $_GET['group']);
$group = " `".$_GET['group']."`";
$fields = "*, COUNT(".$_GET['group'].") AS num";
$order = " `num` DESC";
}
...
-
phpcmsv9.5.9以后版本开始默认使用mysqli支持,在\phpcms\modules\pay\respond.php中,因为代码逻辑不够严谨,导致宽字节注入
文件位置:
/phpcms/modules/pay/respond.php
解决办法(Line 16):
// 修改之前
/**
* return_url get形式响应
*/
public function respond_get() {
if ($_GET['code']){
$payment = $this->get_by_code($_GET['code']);
if(!$payment) showmessage(L('payment_failed'));
$cfg = unserialize_config($payment['config']);
...
改为:
// 修改之后
/**
* return_url get形式响应
*/
public function respond_get() {
if ($_GET['code']){
$payment = $this->get_by_code(mysql_real_escape_string($_GET['code']));
if(!$payment) showmessage(L('payment_failed'));
$cfg = unserialize_config($payment['config']);
...
文件路径:/phpcms/modules/content/down.php
修复区域(1),所在位置约17行
$a_k = trim($_GET['a_k']);
if(!isset($a_k)) showmessage(L('illegal_parameters'));
$a_k = sys_auth($a_k, 'DECODE', pc_base::load_config('system','auth_key'));
if(empty($a_k)) showmessage(L('illegal_parameters'));
unset($i,$m,$f);
parse_str($a_k);
if(isset($i)) $i = $id = intval($i);
补丁代码
$a_k = trim($_GET['a_k']);
if(!isset($a_k)) showmessage(L('illegal_parameters'));
$a_k = sys_auth($a_k, 'DECODE', pc_base::load_config('system','auth_key'));
if(empty($a_k)) showmessage(L('illegal_parameters'));
unset($i,$m,$f);
parse_str($a_k);
$a_k = safe_replace($a_k); //此处为修补代码,约第17行
if(isset($i)) $i = $id = intval($i);
修复区域(2),所在位置约89行
源代码
$a_k = trim($_GET['a_k']);
$pc_auth_key = md5(pc_base::load_config('system','auth_key').$_SERVER['HTTP_USER_AGENT'].'down');
$a_k = sys_auth($a_k, 'DECODE', $pc_auth_key);
if(empty($a_k)) showmessage(L('illegal_parameters'));
unset($i,$m,$f,$t,$ip);
parse_str($a_k);
if(isset($i)) $downid = intval($i);
补丁代码
$a_k = trim($_GET['a_k']);
$pc_auth_key = md5(pc_base::load_config('system','auth_key').$_SERVER['HTTP_USER_AGENT'].'down');
$a_k = sys_auth($a_k, 'DECODE', $pc_auth_key);
if(empty($a_k)) showmessage(L('illegal_parameters'));
unset($i,$m,$f,$t,$ip);
parse_str($a_k);
$a_k = safe_replace($a_k);//此处为修补代码,约第89行
if(isset($i)) $downid = intval($i);
修复区域(3),所在位置约120行
源代码
//处理中文文件
if(preg_match("/^([\s\S]*?)([\x81-\xfe][\x40-\xfe])([\s\S]*?)/", $fileurl)) {
$filename = str_replace(array("%5C", "%2F", "%3A"), array("\\", "/", ":"), urlencode($fileurl));
$filename = urldecode(basename($filename));
}
$ext = fileext($filename);
$filename = date('Ymd_his').random(3).'.'.$ext;
file_down($fileurl, $filename);
补丁代码
//处理中文文件
if(preg_match("/^([\s\S]*?)([\x81-\xfe][\x40-\xfe])([\s\S]*?)/", $fileurl)) {
$filename = str_replace(array("%5C", "%2F", "%3A"), array("\\", "/", ":"), urlencode($fileurl));
$filename = urldecode(basename($filename));
}
$ext = fileext($filename);
$filename = date('Ymd_his').random(3).'.'.$ext;
$fileurl = str_replace(array('<','>'), '',$fileurl); //此处为修补代码,约第120行
file_down($fileurl, $filename