Lucene search

HistoryNov 09, 2008 - 12:00 a.m.

dedecms fill out a tasteless vulnerability-vulnerability warning-the black bar safety net


Author: Ice the origin of the[L. S. T]&[0. S. T]

Just look at the small handsome gay blog found above also describes a About dedecms a 0day(http://www. xssor. cn/sa/? action=show&id=5 A 8, but this bug and a few months ago that write directly to the file in the vulnerability If is not a file, I remember not too clear, people do not blame, just hand there is a dedecms station, but the test of time always unsuccessful. Then download a latest version of dede download down looked at it, the original official is already fill. But I at the time of the test, found that the official remedy is not too obvious. Below we recall the vulnerability of the formation. In the member/story_add_content_action. the php folder has the following code:
Then take a look at this function is at? write, 在include\inc_bookfunctions.php to:
function WriteBookText($cid,$body)
global $cfg_cmspath,$cfg_basedir;
$ipath = $cfg_cmspath.“/ data/textdata”;
$tpath = ceil($cid/5 0 0 0);
if(! is_dir($cfg_basedir.$ ipath)) MkdirAll($cfg_basedir.$ ipath,$GLOBALS[‘cfg_dir_purview’]);
if(! is_dir($cfg_basedir.$ ipath.‘/’.$ tpath)) MkdirAll($cfg_basedir.$ ipath.‘/’.$ tpath,$GLOBALS[‘cfg_dir_purview’]);
$bookfile = $cfg_basedir.$ ipath.“/ {$tpath}/bk{$cid}. php”;
$body = “<”.“? php exit();\r\n”.$ body.“\ r\n?”.“& gt;”;
@$fp = fopen($bookfile,‘w’);
The most important is this sentence:$body = “<”.“? php exit();\r\n”.$ body.“\ r\n?”.“& gt;”;I didn’t see the previous code, but are preceded by an exit();after, even if we write a word, the file content will be turned into<? php exit();?& gt;<? php @eval($_POST[cmd])?& gt;?& gt; that is, in the implementation of the eval function, before executing the exit Function, the official is such a limiting word Trojan functionality, but here is the official ignore the php of the storm wrong, if we casually write a few extra characters in there? We write more a few>or other more critical character in, anyway, stripslashes($body)for it to escape, so that we can easily get website’s physical path, 这里给大家一个实例

Well, the vulnerability analysis to here! This is also our word why write into it but even no reasons! What say the wrong place, also please correct me on!